StarMirror/showdown
1
0
Fork 0
mirror of https://github.com/showdownjs/showdown.git synced 2024-03-22 13:30:55 +08:00
Code Issues Projects Releases Wiki Activity

fix(openLinksInNewWindow): add rel="noopener noreferrer" to links

Browse Source 
Add rel="noreferrer" to links when openLinksInNewWindow is on. Also add noopener when openLinksInNewWindow is on.
target="_blank" without also adding rel="noopener noreferrer" creates a vulnerability
(since the site you're linking to has access to the window.opener by default.
This  adds rel="noopener noreferrer" to links generated by the makeHtml converter when openLinksInNewWindow is true.

Closes #670
This commit is contained in:
Jammerware 2019-11-02 14:58:07 -04:00 committed by Estevao Soares dos Santos
parent 58208e5c98
commit 1cd281f064
10 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
dist/showdown.js vendored
View File

Binary file not shown.

BIN
dist/showdown.js.map vendored
View File

Binary file not shown.

BIN
dist/showdown.min.js vendored
View File

Binary file not shown.

BIN
dist/showdown.min.js.map vendored
View File

Binary file not shown.

4
src/subParsers/anchors.js
View File

@ -48,7 +48,7 @@ showdown.subParser('anchors', function (text, options, globals) {
// to external links. Hash links (#) open in same page
if (options.openLinksInNewWindow && !/^#/.test(url)) {
// escaped _
result += ' target="¨E95Eblank"';
result += ' rel="noopener noreferrer" target="¨E95Eblank"';
}
result += '>' + linkText + '</a>';
@ -87,7 +87,7 @@ showdown.subParser('anchors', function (text, options, globals) {
var lnk = options.ghMentionsLink.replace(/\{u}/g, username),
target = '';
if (options.openLinksInNewWindow) {
target = ' target="¨E95Eblank"';
target = ' rel="noopener noreferrer" target="¨E95Eblank"';
}
return st + '<a href="' + lnk + '"' + target + '>' + mentions + '</a>';
});

2
src/subParsers/autoLinks.js
View File

@ -22,7 +22,7 @@ var simpleURLRegex = /([*~_]+|\b)(((https?|ftp|dict):\/\/|www\.)[^'">\s]+?\.[^'
append = trailingPunctuation;
}
if (options.openLinksInNewWindow) {
target = ' target="¨E95Eblank"';
target = ' rel="noopener noreferrer" target="¨E95Eblank"';
}
return lmc + '<a href="' + link + '"' + target + '>' + lnkTxt + '</a>' + append + tmc;
};

4
test/features/#379.openLinksInNewWindow-breaks-em-markdup.html
View File

@ -1,2 +1,2 @@
<p>My <a href="http://example.com" target="_blank">link</a> is <em>important</em></p>
<p>My <a href="http://example.com" target="_blank">link</a> is <strong>important</strong></p>
<p>My <a href="http://example.com" rel="noopener noreferrer" target="_blank">link</a> is <em>important</em></p>
<p>My <a href="http://example.com" rel="noopener noreferrer" target="_blank">link</a> is <strong>important</strong></p>

4
test/features/openLinksInNewWindow/simple-cases.html
View File

@ -1,2 +1,2 @@
<p><a href="www.google.com" target="_blank">foo</a></p>
<p>a link <a href="http://www.google.com" target="_blank">http://www.google.com</a></p>
<p><a href="www.google.com" rel="noopener noreferrer" target="_blank">foo</a></p>
<p>a link <a href="http://www.google.com" rel="noopener noreferrer" target="_blank">http://www.google.com</a></p>

4
test/features/openLinksInNewWindow/simple.html
View File

@ -1,2 +1,2 @@
<p><a href="www.google.com" target="_blank">foo</a></p>
<p>a link <a href="http://www.google.com" target="_blank">http://www.google.com</a></p>
<p><a href="www.google.com" rel="noopener noreferrer" target="_blank">foo</a></p>
<p>a link <a href="http://www.google.com" rel="noopener noreferrer" target="_blank">http://www.google.com</a></p>

2
test/features/openLinksInNewWindow/simplifiedAutoLink.html
View File

@ -1 +1 @@
<p>this is <a href="http://www.google.com" target="_blank">http://www.google.com</a> autolink</p>
<p>this is <a href="http://www.google.com" rel="noopener noreferrer" target="_blank">http://www.google.com</a> autolink</p>