From 75a23fe2c91d6c2f5008daccae72f8964af72307 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Thu, 4 Oct 2018 01:41:48 +0200
Subject: [PATCH] Add rel="noopener" to target="_blank" links

The noopener construct protects from some nasty clickjacking attacks. We
can apply them savely to all our links since we don't rely on the
previously used page.

Some more details: https://mathiasbynens.github.io/rel-noopener/

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
---
 public/js/extra.js                    |  4 +++-
 public/views/codimd/body.ejs          |  2 +-
 public/views/codimd/header.ejs        | 16 ++++++++--------
 public/views/index/body.ejs           |  4 ++--
 public/views/shared/refresh-modal.ejs |  2 +-
 5 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/public/js/extra.js b/public/js/extra.js
index d6bbb0c..7a1077d 100644
--- a/public/js/extra.js
+++ b/public/js/extra.js
@@ -570,7 +570,9 @@ export function postProcess (code) {
     $(value).html(html)
   })
   // link should open in new window or tab
-  result.find('a:not([href^="#"]):not([target])').attr('target', '_blank')
+  // also add noopener to prevent clickjacking
+  // See details: https://mathiasbynens.github.io/rel-noopener/
+  result.find('a:not([href^="#"]):not([target])').attr('target', '_blank').attr('rel', 'noopener')
   // update continue line numbers
   const linenumberdivs = result.find('.gutter.linenumber').toArray()
   for (let i = 0; i < linenumberdivs.length; i++) {
diff --git a/public/views/codimd/body.ejs b/public/views/codimd/body.ejs
index d4f27a9..dc11190 100644
--- a/public/views/codimd/body.ejs
+++ b/public/views/codimd/body.ejs
@@ -113,7 +113,7 @@
             </div>
             <div class="modal-body" style="color:black;">
                 <h5></h5>
-                <a target="_blank" style="word-break: break-all;"></a>
+                <a target="_blank" rel="noopener" style="word-break: break-all;"></a>
             </div>
             <div class="modal-footer">
                 <button type="button" class="btn btn-default" data-dismiss="modal"><%= __('OK') %></button>
diff --git a/public/views/codimd/header.ejs b/public/views/codimd/header.ejs
index 8fc050b..1b5e422 100644
--- a/public/views/codimd/header.ejs
+++ b/public/views/codimd/header.ejs
@@ -22,15 +22,15 @@
                 <i class="fa fa-caret-down"></i>
             </a>
             <ul class="dropdown-menu list" role="menu" aria-labelledby="menu">
-                <li role="presentation"><a role="menuitem" class="ui-new" tabindex="-1" href="<%- url %>/new" target="_blank"><i class="fa fa-plus fa-fw"></i> <%= __('New') %></a>
+                <li role="presentation"><a role="menuitem" class="ui-new" tabindex="-1" href="<%- url %>/new" target="_blank" rel="noopener"><i class="fa fa-plus fa-fw"></i> <%= __('New') %></a>
                 </li>
-                <li role="presentation"><a role="menuitem" class="ui-publish" tabindex="-1" href="#" target="_blank"><i class="fa fa-share-square-o fa-fw"></i> <%= __('Publish') %></a>
+                <li role="presentation"><a role="menuitem" class="ui-publish" tabindex="-1" href="#" target="_blank" rel="noopener"><i class="fa fa-share-square-o fa-fw"></i> <%= __('Publish') %></a>
                 </li>
                 <li class="divider"></li>
                 <li class="dropdown-header"><%= __('Extra') %></li>
                 <li role="presentation"><a role="menuitem" class="ui-extra-revision" tabindex="-1" data-toggle="modal" data-target="#revisionModal"><i class="fa fa-history fa-fw"></i> <%= __('Revision') %></a>
                 </li>
-                <li role="presentation"><a role="menuitem" class="ui-extra-slide" tabindex="-1" href="#" target="_blank"><i class="fa fa-tv fa-fw"></i> <%= __('Slide Mode') %></a>
+                <li role="presentation"><a role="menuitem" class="ui-extra-slide" tabindex="-1" href="#" target="_blank" rel="noopener"><i class="fa fa-tv fa-fw"></i> <%= __('Slide Mode') %></a>
                 </li>
                 <% if((typeof github !== 'undefined' && github) || (typeof dropbox !== 'undefined' && dropbox) || (typeof gitlab !== 'undefined' && gitlab && (!gitlab.scope || gitlab.scope === 'api'))) { %>
                 <li class="divider"></li>
@@ -38,7 +38,7 @@
                 <li role="presentation"><a role="menuitem" class="ui-save-dropbox" tabindex="-1" href="#" target="_self"><i class="fa fa-dropbox fa-fw"></i> Dropbox</a>
                 </li>
                 <% if(typeof github !== 'undefined' && github) { %>
-                <li role="presentation"><a role="menuitem" class="ui-save-gist" tabindex="-1" href="#" target="_blank"><i class="fa fa-github fa-fw"></i> Gist</a>
+                <li role="presentation"><a role="menuitem" class="ui-save-gist" tabindex="-1" href="#" target="_blank" rel="noopener"><i class="fa fa-github fa-fw"></i> Gist</a>
                 </li>
                 <% } %>
                 <% if(typeof gitlab !== 'undefined' && gitlab && (!gitlab.scope || gitlab.scope === 'api')) { %>
@@ -115,12 +115,12 @@
         </ul>
         <ul class="nav navbar-nav navbar-right" style="padding:0;">
             <li>
-                <a href="<%- url %>/new" target="_blank" class="ui-new">
+                <a href="<%- url %>/new" target="_blank" rel="noopener" class="ui-new">
                     <i class="fa fa-plus"></i> <%= __('New') %>
                 </a>
             </li>
             <li>
-                <a href="#" target="_blank" class="ui-publish">
+                <a href="#" target="_blank" rel="noopener" class="ui-publish">
                     <i class="fa fa-share-square-o"></i> <%= __('Publish') %>
                 </a>
             </li>
@@ -132,7 +132,7 @@
                     <li class="dropdown-header"><%= __('Extra') %></li>
                     <li role="presentation"><a role="menuitem" class="ui-extra-revision" tabindex="-1" data-toggle="modal" data-target="#revisionModal"><i class="fa fa-history fa-fw"></i> <%= __('Revision') %></a>
                     </li>
-                    <li role="presentation"><a role="menuitem" class="ui-extra-slide" tabindex="-1" href="#" target="_blank"><i class="fa fa-tv fa-fw"></i> <%= __('Slide Mode') %></a>
+                    <li role="presentation"><a role="menuitem" class="ui-extra-slide" tabindex="-1" href="#" target="_blank" rel="noopener"><i class="fa fa-tv fa-fw"></i> <%= __('Slide Mode') %></a>
                     </li>
                     <% if((typeof github !== 'undefined' && github) || (typeof dropbox !== 'undefined' && dropbox) || (typeof gitlab !== 'undefined' && gitlab && (!gitlab.scope || gitlab.scope === 'api'))) { %>
                     <li class="divider"></li>
@@ -140,7 +140,7 @@
                     <li role="presentation"><a role="menuitem" class="ui-save-dropbox" tabindex="-1" href="#" target="_self"><i class="fa fa-dropbox fa-fw"></i> Dropbox</a>
                     </li>
                     <% if(typeof github !== 'undefined' && github) { %>
-                    <li role="presentation"><a role="menuitem" class="ui-save-gist" tabindex="-1" href="#" target="_blank"><i class="fa fa-github fa-fw"></i> Gist</a>
+                    <li role="presentation"><a role="menuitem" class="ui-save-gist" tabindex="-1" href="#" target="_blank" rel="noopener"><i class="fa fa-github fa-fw"></i> Gist</a>
                     </li>
                     <% } %>
                     <% if(typeof gitlab !== 'undefined' && gitlab && (!gitlab.scope || gitlab.scope === 'api')) { %>
diff --git a/public/views/index/body.ejs b/public/views/index/body.ejs
index 0f2813b..18bffdd 100644
--- a/public/views/index/body.ejs
+++ b/public/views/index/body.ejs
@@ -150,10 +150,10 @@
                         <option value="id">Bahasa Indonesia</option>
                     </select>
                     <p>
-                        Powered by <a href="https://codimd.org">CodiMD</a> | <a href="<%- url %>/s/release-notes" target="_blank"><%= __('Releases') %></a><% if(privacyStatement) { %> | <a href="<%- url %>/s/privacy" target="_blank"><%= __('Privacy') %></a><% } %><% if(termsOfUse) { %> | <a href="<%- url %>/s/terms-of-use" target="_blank"><%= __('Terms of Use') %></a><% } %>
+                        Powered by <a href="https://codimd.org">CodiMD</a> | <a href="<%- url %>/s/release-notes" target="_blank" rel="noopener"><%= __('Releases') %></a><% if(privacyStatement) { %> | <a href="<%- url %>/s/privacy" target="_blank" rel="noopener"><%= __('Privacy') %></a><% } %><% if(termsOfUse) { %> | <a href="<%- url %>/s/terms-of-use" target="_blank" rel="noopener"><%= __('Terms of Use') %></a><% } %>
                     </p>
                     <h6 class="social-foot">
-                        <%- __('Follow us on %s and %s.', '<a href="https://github.com/hackmdio/CodiMD" target="_blank"><i class="fa fa-github"></i> GitHub</a>, <a href="https://riot.im/app/#/room/#codimd:matrix.org" target="_blank"><i class="fa fa-comments"></i> Riot</a>', '<a href="https://translate.codimd.org" target="_blank"><i class="fa fa-globe"></i> POEditor</a>') %>
+                        <%- __('Follow us on %s and %s.', '<a href="https://github.com/hackmdio/CodiMD" target="_blank" rel="noopener"><i class="fa fa-github"></i> GitHub</a>, <a href="https://riot.im/app/#/room/#codimd:matrix.org" target="_blank" rel="noopener"><i class="fa fa-comments"></i> Riot</a>', '<a href="https://translate.codimd.org" target="_blank" rel="noopener"><i class="fa fa-globe"></i> POEditor</a>') %>
                     </h6>
                 </div>
             </div>
diff --git a/public/views/shared/refresh-modal.ejs b/public/views/shared/refresh-modal.ejs
index 5be41b2..6458054 100644
--- a/public/views/shared/refresh-modal.ejs
+++ b/public/views/shared/refresh-modal.ejs
@@ -14,7 +14,7 @@
                 </div>
                 <div class="new-version" style="display:none;">
                     <h5><%= __('New version available!') %></h5>
-                    <a href="<%- url %>/s/release-notes" target="_blank"><%= __('See releases notes here') %></a>
+                    <a href="<%- url %>/s/release-notes" target="_blank" rel="noopener"><%= __('See releases notes here') %></a>
                     <br>
                     <strong><%= __('Refresh to enjoy new features.') %></strong>
                 </div>