diff -r c7c34916027a -r 177826044cd9 wp/wp-includes/widgets/class-wp-widget-custom-html.php
--- a/wp/wp-includes/widgets/class-wp-widget-custom-html.php	Mon Oct 14 18:06:33 2019 +0200
+++ b/wp/wp-includes/widgets/class-wp-widget-custom-html.php	Mon Oct 14 18:28:13 2019 +0200
@@ -31,7 +31,7 @@
 	 * @var array
 	 */
 	protected $default_instance = array(
-		'title' => '',
+		'title'   => '',
 		'content' => '',
 	);
 
@@ -41,13 +41,13 @@
 	 * @since 4.8.1
 	 */
 	public function __construct() {
-		$widget_ops = array(
-			'classname' => 'widget_custom_html',
-			'description' => __( 'Arbitrary HTML code.' ),
+		$widget_ops  = array(
+			'classname'                   => 'widget_custom_html',
+			'description'                 => __( 'Arbitrary HTML code.' ),
 			'customize_selective_refresh' => true,
 		);
 		$control_ops = array(
-			'width' => 400,
+			'width'  => 400,
 			'height' => 350,
 		);
 		parent::__construct( 'custom_html', __( 'Custom HTML' ), $widget_ops, $control_ops );
@@ -130,16 +130,22 @@
 		$title = apply_filters( 'widget_title', $instance['title'], $instance, $this->id_base );
 
 		// Prepare instance data that looks like a normal Text widget.
-		$simulated_text_widget_instance = array_merge( $instance, array(
-			'text' => isset( $instance['content'] ) ? $instance['content'] : '',
-			'filter' => false, // Because wpautop is not applied.
-			'visual' => false, // Because it wasn't created in TinyMCE.
-		) );
+		$simulated_text_widget_instance = array_merge(
+			$instance,
+			array(
+				'text'   => isset( $instance['content'] ) ? $instance['content'] : '',
+				'filter' => false, // Because wpautop is not applied.
+				'visual' => false, // Because it wasn't created in TinyMCE.
+			)
+		);
 		unset( $simulated_text_widget_instance['content'] ); // Was moved to 'text' prop.
 
 		/** This filter is documented in wp-includes/widgets/class-wp-widget-text.php */
 		$content = apply_filters( 'widget_text', $instance['content'], $simulated_text_widget_instance, $this );
 
+		// Adds noreferrer and noopener relationships, without duplicating values, to all HTML A elements that have a target.
+		$content = wp_targeted_link_rel( $content );
+
 		/**
 		 * Filters the content of the Custom HTML widget.
 		 *
@@ -179,7 +185,7 @@
 	 * @return array Settings to save or bool false to cancel saving.
 	 */
 	public function update( $new_instance, $old_instance ) {
-		$instance = array_merge( $this->default_instance, $old_instance );
+		$instance          = array_merge( $this->default_instance, $old_instance );
 		$instance['title'] = sanitize_text_field( $new_instance['title'] );
 		if ( current_user_can( 'unfiltered_html' ) ) {
 			$instance['content'] = $new_instance['content'];
@@ -195,13 +201,15 @@
 	 * @since 4.9.0
 	 */
 	public function enqueue_admin_scripts() {
-		$settings = wp_enqueue_code_editor( array(
-			'type' => 'text/html',
-			'codemirror' => array(
-				'indentUnit' => 2,
-				'tabSize' => 2,
-			),
-		) );
+		$settings = wp_enqueue_code_editor(
+			array(
+				'type'       => 'text/html',
+				'codemirror' => array(
+					'indentUnit' => 2,
+					'tabSize'    => 2,
+				),
+			)
+		);
 
 		wp_enqueue_script( 'custom-html-widgets' );
 		if ( empty( $settings ) ) {
@@ -216,7 +224,7 @@
 				/* translators: %d: error count */
 				'singular' => _n( 'There is %d error which must be fixed before you can save.', 'There are %d errors which must be fixed before you can save.', 1 ),
 				/* translators: %d: error count */
-				'plural' => _n( 'There is %d error which must be fixed before you can save.', 'There are %d errors which must be fixed before you can save.', 2 ), // @todo This is lacking, as some languages have a dedicated dual form. For proper handling of plurals in JS, see #20491.
+				'plural'   => _n( 'There is %d error which must be fixed before you can save.', 'There are %d errors which must be fixed before you can save.', 2 ), // @todo This is lacking, as some languages have a dedicated dual form. For proper handling of plurals in JS, see #20491.
 			),
 		);
 		wp_add_inline_script( 'custom-html-widgets', sprintf( 'jQuery.extend( wp.customHtmlWidgets.l10n, %s );', wp_json_encode( $l10n ) ), 'after' );
@@ -262,8 +270,8 @@
 			<?php if ( ! current_user_can( 'unfiltered_html' ) ) : ?>
 				<?php
 				$probably_unsafe_html = array( 'script', 'iframe', 'form', 'input', 'style' );
-				$allowed_html = wp_kses_allowed_html( 'post' );
-				$disallowed_html = array_diff( $probably_unsafe_html, array_keys( $allowed_html ) );
+				$allowed_html         = wp_kses_allowed_html( 'post' );
+				$disallowed_html      = array_diff( $probably_unsafe_html, array_keys( $allowed_html ) );
 				?>
 				<?php if ( ! empty( $disallowed_html ) ) : ?>
 					<# if ( data.codeEditorDisabled ) { #>
@@ -288,7 +296,7 @@
 	public static function add_help_text() {
 		$screen = get_current_screen();
 
-		$content = '<p>';
+		$content  = '<p>';
 		$content .= __( 'Use the Custom HTML widget to add arbitrary HTML code to your widget areas.' );
 		$content .= '</p>';
 
@@ -299,9 +307,10 @@
 				__( 'The edit field automatically highlights code syntax. You can disable this in your <a href="%1$s" %2$s>user profile%3$s</a> to work in plain text mode.' ),
 				esc_url( get_edit_profile_url() ),
 				'class="external-link" target="_blank"',
-				sprintf( '<span class="screen-reader-text"> %s</span>',
+				sprintf(
+					'<span class="screen-reader-text"> %s</span>',
 					/* translators: accessibility text */
-					__( '(opens in a new window)' )
+					__( '(opens in a new tab)' )
 				)
 			);
 			$content .= '</p>';
@@ -314,10 +323,12 @@
 			$content .= '</ul>';
 		}
 
-		$screen->add_help_tab( array(
-			'id' => 'custom_html_widget',
-			'title' => __( 'Custom HTML Widget' ),
-			'content' => $content,
-		) );
+		$screen->add_help_tab(
+			array(
+				'id'      => 'custom_html_widget',
+				'title'   => __( 'Custom HTML Widget' ),
+				'content' => $content,
+			)
+		);
 	}
 }