Merge branch 'security-master-url-rel' into 'master'

[master] Set URL rel attribute for broken URLs

See merge request gitlab/gitlabhq!2695

1 files changed, 6 insertions, 6 deletions

diff --git a/lib/banzai/filter/external_link_filter.rb b/lib/banzai/filter/external_link_filter.rb
index 2e6d742de27..4f60b6f84c6 100644
--- a/lib/banzai/filter/external_link_filter.rb
+++ b/lib/banzai/filter/external_link_filter.rb
@@ -9,11 +9,10 @@ module Banzai
       def call
         links.each do |node|
           uri = uri(node['href'].to_s)
-          next unless uri
 
-          node.set_attribute('href', uri.to_s)
+          node.set_attribute('href', uri.to_s) if uri
 
-          if SCHEMES.include?(uri.scheme) && external_url?(uri)
+          if SCHEMES.include?(uri&.scheme) && !internal_url?(uri)
             node.set_attribute('rel', 'nofollow noreferrer noopener')
             node.set_attribute('target', '_blank')
           end
@@ -35,11 +34,12 @@ module Banzai
         doc.xpath(query)
       end
 
-      def external_url?(uri)
+      def internal_url?(uri)
+        return false if uri.nil?
         # Relative URLs miss a hostname
-        return false unless uri.hostname
+        return true unless uri.hostname
 
-        uri.hostname != internal_url.hostname
+        uri.hostname == internal_url.hostname
       end
 
       def internal_url