Add rel="noopener" to target="_blank" links

The noopener construct protects from some nasty clickjacking attacks. We can apply them savely to all our links since we don't rely on the previously used page. Some more details: https://mathiasbynens.github.io/rel-noopener/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
author: Sheogorath 2018-10-04 01:41:48 +0200
committer: Sheogorath 2018-10-04 01:49:36 +0200
commit: 75a23fe2c91d6c2f5008daccae72f8964af72307 (patch)
tree: 0a0d58402cb694344033414002ee1f20784efbfc /public/js
parent: d9ba11b21a77561ec3f72d5396d48fea32f6389d (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/public/js/extra.js b/public/js/extra.js
index d6bbb0c6..7a1077d5 100644
--- a/public/js/extra.js
+++ b/public/js/extra.js
@@ -570,7 +570,9 @@ export function postProcess (code) {
     $(value).html(html)
   })
   // link should open in new window or tab
-  result.find('a:not([href^="#"]):not([target])').attr('target', '_blank')
+  // also add noopener to prevent clickjacking
+  // See details: https://mathiasbynens.github.io/rel-noopener/
+  result.find('a:not([href^="#"]):not([target])').attr('target', '_blank').attr('rel', 'noopener')
   // update continue line numbers
   const linenumberdivs = result.find('.gutter.linenumber').toArray()
   for (let i = 0; i < linenumberdivs.length; i++) {
author	Sheogorath	2018-10-04 01:41:48 +0200
committer	Sheogorath	2018-10-04 01:49:36 +0200
commit	75a23fe2c91d6c2f5008daccae72f8964af72307 (patch)
tree	0a0d58402cb694344033414002ee1f20784efbfc /public/js
parent	d9ba11b21a77561ec3f72d5396d48fea32f6389d (diff)