Merge remote-tracking branch 'upstream/master' into 27377-preload-pipeline-entity27377-preload-pipeline-entity

* upstream/master: (2534 commits)
  Update VERSION to 9.3.0-pre
  Update CHANGELOG.md for 9.2.0
  removes unnecessary redundacy in usage ping doc
  Respect the typo as rubocop said
  Add a test to ensure this works on MySQL
  Change pipelines schedules help page path
  change domain to hostname in usage ping doc
  Fixes broken MySQL migration for retried
  Show password field mask while editing service settings
  Add notes for supported schedulers and cloud providers
  Move environment monitoring to environments doc
  Add docs for change of Cache/Artifact restore order"
  Avoid resource intensive login checks if password is not provided
  Change translation for 'coding' by 'desarrollo' for Spanish
  Add to docs: issues multiple assignees
  rename "Add emoji" and "Award emoji" to "Add reaction" where appropriate
  Add project and group notification settings info
  32570 Fix border-bottom for project activity tab
  Add users endpoint to frontend API class
  Rename users on mysql
  ...

1 files changed, 18 insertions, 18 deletions

diff --git a/lib/banzai/filter/external_link_filter.rb b/lib/banzai/filter/external_link_filter.rb
index d67d466bce8..d6327ef31cb 100644
--- a/lib/banzai/filter/external_link_filter.rb
+++ b/lib/banzai/filter/external_link_filter.rb
@@ -2,16 +2,17 @@ module Banzai
   module Filter
     # HTML Filter to modify the attributes of external links
     class ExternalLinkFilter < HTML::Pipeline::Filter
+      SCHEMES = ['http', 'https', nil].freeze
+
       def call
         links.each do |node|
-          href = href_to_lowercase_scheme(node["href"].to_s)
+          uri = uri(node['href'].to_s)
+          next unless uri
 
-          unless node["href"].to_s == href
-            node.set_attribute('href', href)
-          end
+          node.set_attribute('href', uri.to_s)
 
-          if href =~ %r{\A(https?:)?//[^/]} && external_url?(href)
-            node.set_attribute('rel', 'nofollow noreferrer')
+          if SCHEMES.include?(uri.scheme) && external_url?(uri)
+            node.set_attribute('rel', 'nofollow noreferrer noopener')
             node.set_attribute('target', '_blank')
           end
         end
@@ -21,27 +22,26 @@ module Banzai
 
       private
 
+      def uri(href)
+        URI.parse(href)
+      rescue URI::Error
+        nil
+      end
+
       def links
         query = 'descendant-or-self::a[@href and not(@href = "")]'
         doc.xpath(query)
       end
 
-      def href_to_lowercase_scheme(href)
-        scheme_match = href.match(/\A(\w+):\/\//)
-
-        if scheme_match
-          scheme_match.to_s.downcase + scheme_match.post_match
-        else
-          href
-        end
-      end
+      def external_url?(uri)
+        # Relative URLs miss a hostname
+        return false unless uri.hostname
 
-      def external_url?(url)
-        !url.start_with?(internal_url)
+        uri.hostname != internal_url.hostname
       end
 
       def internal_url
-        @internal_url ||= Gitlab.config.gitlab.url
+        @internal_url ||= URI.parse(Gitlab.config.gitlab.url)
       end
     end
   end