diff -r c7c34916027a -r 177826044cd9 wp/wp-includes/widgets/class-wp-widget-text.php
--- a/wp/wp-includes/widgets/class-wp-widget-text.php	Mon Oct 14 18:06:33 2019 +0200
+++ b/wp/wp-includes/widgets/class-wp-widget-text.php	Mon Oct 14 18:28:13 2019 +0200
@@ -30,13 +30,13 @@
 	 * @since 2.8.0
 	 */
 	public function __construct() {
-		$widget_ops = array(
-			'classname' => 'widget_text',
-			'description' => __( 'Arbitrary text.' ),
+		$widget_ops  = array(
+			'classname'                   => 'widget_text',
+			'description'                 => __( 'Arbitrary text.' ),
 			'customize_selective_refresh' => true,
 		);
 		$control_ops = array(
-			'width' => 400,
+			'width'  => 400,
 			'height' => 350,
 		);
 		parent::__construct( 'text', __( 'Text' ), $widget_ops, $control_ops );
@@ -99,7 +99,7 @@
 			return false;
 		}
 
-		$wpautop = ! empty( $instance['filter'] );
+		$wpautop         = ! empty( $instance['filter'] );
 		$has_line_breaks = ( false !== strpos( trim( $instance['text'] ), "\n" ) );
 
 		// If auto-paragraphs are not enabled and there are line breaks, then ensure legacy mode.
@@ -120,38 +120,45 @@
 		}
 
 		$doc = new DOMDocument();
-		@$doc->loadHTML( sprintf(
-			'<!DOCTYPE html><html><head><meta charset="%s"></head><body>%s</body></html>',
-			esc_attr( get_bloginfo( 'charset' ) ),
-			$instance['text']
-		) );
+
+		// Suppress warnings generated by loadHTML
+		$errors = libxml_use_internal_errors( true );
+		@$doc->loadHTML(
+			sprintf(
+				'<!DOCTYPE html><html><head><meta charset="%s"></head><body>%s</body></html>',
+				esc_attr( get_bloginfo( 'charset' ) ),
+				$instance['text']
+			)
+		);
+		libxml_use_internal_errors( $errors );
+
 		$body = $doc->getElementsByTagName( 'body' )->item( 0 );
 
 		// See $allowedposttags.
 		$safe_elements_attributes = array(
-			'strong' => array(),
-			'em' => array(),
-			'b' => array(),
-			'i' => array(),
-			'u' => array(),
-			's' => array(),
-			'ul' => array(),
-			'ol' => array(),
-			'li' => array(),
-			'hr' => array(),
-			'abbr' => array(),
+			'strong'  => array(),
+			'em'      => array(),
+			'b'       => array(),
+			'i'       => array(),
+			'u'       => array(),
+			's'       => array(),
+			'ul'      => array(),
+			'ol'      => array(),
+			'li'      => array(),
+			'hr'      => array(),
+			'abbr'    => array(),
 			'acronym' => array(),
-			'code' => array(),
-			'dfn' => array(),
-			'a' => array(
+			'code'    => array(),
+			'dfn'     => array(),
+			'a'       => array(
 				'href' => true,
 			),
-			'img' => array(
+			'img'     => array(
 				'src' => true,
 				'alt' => true,
 			),
 		);
-		$safe_empty_elements = array( 'img', 'hr', 'iframe' );
+		$safe_empty_elements      = array( 'img', 'hr', 'iframe' );
 
 		foreach ( $body->getElementsByTagName( '*' ) as $element ) {
 			/** @var DOMElement $element */
@@ -219,7 +226,7 @@
 		/** This filter is documented in wp-includes/widgets/class-wp-widget-pages.php */
 		$title = apply_filters( 'widget_title', $title, $instance, $this->id_base );
 
-		$text = ! empty( $instance['text'] ) ? $instance['text'] : '';
+		$text                  = ! empty( $instance['text'] ) ? $instance['text'] : '';
 		$is_visual_text_widget = ( ! empty( $instance['visual'] ) && ! empty( $instance['filter'] ) );
 
 		// In 4.8.0 only, visual Text widgets get filter=content, without visual prop; upgrade instance props just-in-time.
@@ -237,7 +244,7 @@
 		 * and it applies after wpautop() to prevent corrupting HTML output added by the shortcode. When do_shortcode() is
 		 * added to 'widget_text_content' then do_shortcode() will be manually called when in legacy mode as well.
 		 */
-		$widget_text_do_shortcode_priority = has_filter( 'widget_text', 'do_shortcode' );
+		$widget_text_do_shortcode_priority       = has_filter( 'widget_text', 'do_shortcode' );
 		$should_suspend_legacy_shortcode_support = ( $is_visual_text_widget && false !== $widget_text_do_shortcode_priority );
 		if ( $should_suspend_legacy_shortcode_support ) {
 			remove_filter( 'widget_text', 'do_shortcode', $widget_text_do_shortcode_priority );
@@ -321,6 +328,9 @@
 
 		$text = preg_replace_callback( '#<(video|iframe|object|embed)\s[^>]*>#i', array( $this, 'inject_video_max_width_style' ), $text );
 
+		// Adds noreferrer and noopener relationships, without duplicating values, to all HTML A elements that have a target.
+		$text = wp_targeted_link_rel( $text );
+
 		?>
 			<div class="textwidget"><?php echo $text; ?></div>
 		<?php
@@ -355,12 +365,15 @@
 	 * @return array Settings to save or bool false to cancel saving.
 	 */
 	public function update( $new_instance, $old_instance ) {
-		$new_instance = wp_parse_args( $new_instance, array(
-			'title' => '',
-			'text' => '',
-			'filter' => false, // For back-compat.
-			'visual' => null, // Must be explicitly defined.
-		) );
+		$new_instance = wp_parse_args(
+			$new_instance,
+			array(
+				'title'  => '',
+				'text'   => '',
+				'filter' => false, // For back-compat.
+				'visual' => null, // Must be explicitly defined.
+			)
+		);
 
 		$instance = $old_instance;
 
@@ -427,7 +440,7 @@
 	 * @since 2.8.0
 	 * @since 4.8.0 Form only contains hidden inputs which are synced with JS template.
 	 * @since 4.8.1 Restored original form to be displayed when in legacy mode.
-	 * @see WP_Widget_Visual_Text::render_control_template_scripts()
+	 * @see WP_Widget_Text::render_control_template_scripts()
 	 * @see _WP_Editors::editor()
 	 *
 	 * @param array $instance Current settings.
@@ -438,7 +451,7 @@
 			(array) $instance,
 			array(
 				'title' => '',
-				'text' => '',
+				'text'  => '',
 			)
 		);
 		?>
@@ -488,7 +501,7 @@
 			<p>
 				<input id="<?php echo $this->get_field_id( 'filter' ); ?>" name="<?php echo $this->get_field_name( 'filter' ); ?>" type="checkbox"<?php checked( ! empty( $instance['filter'] ) ); ?> />&nbsp;<label for="<?php echo $this->get_field_id( 'filter' ); ?>"><?php _e( 'Automatically add paragraphs' ); ?></label>
 			</p>
-		<?php
+			<?php
 		endif;
 	}