From 75a23fe2c91d6c2f5008daccae72f8964af72307 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Thu, 4 Oct 2018 01:41:48 +0200 Subject: [PATCH] Add rel="noopener" to target="_blank" links The noopener construct protects from some nasty clickjacking attacks. We can apply them savely to all our links since we don't rely on the previously used page. Some more details: https://mathiasbynens.github.io/rel-noopener/ Signed-off-by: Sheogorath --- public/js/extra.js | 4 +++- public/views/codimd/body.ejs | 2 +- public/views/codimd/header.ejs | 16 ++++++++-------- public/views/index/body.ejs | 4 ++-- public/views/shared/refresh-modal.ejs | 2 +- 5 files changed, 15 insertions(+), 13 deletions(-) diff --git a/public/js/extra.js b/public/js/extra.js index d6bbb0c..7a1077d 100644 --- a/public/js/extra.js +++ b/public/js/extra.js @@ -570,7 +570,9 @@ export function postProcess (code) { $(value).html(html) }) // link should open in new window or tab - result.find('a:not([href^="#"]):not([target])').attr('target', '_blank') + // also add noopener to prevent clickjacking + // See details: https://mathiasbynens.github.io/rel-noopener/ + result.find('a:not([href^="#"]):not([target])').attr('target', '_blank').attr('rel', 'noopener') // update continue line numbers const linenumberdivs = result.find('.gutter.linenumber').toArray() for (let i = 0; i < linenumberdivs.length; i++) { diff --git a/public/views/codimd/body.ejs b/public/views/codimd/body.ejs index d4f27a9..dc11190 100644 --- a/public/views/codimd/body.ejs +++ b/public/views/codimd/body.ejs @@ -113,7 +113,7 @@ diff --git a/public/views/shared/refresh-modal.ejs b/public/views/shared/refresh-modal.ejs index 5be41b2..6458054 100644 --- a/public/views/shared/refresh-modal.ejs +++ b/public/views/shared/refresh-modal.ejs @@ -14,7 +14,7 @@