From 1cd281f0643ef613dc1d36847d4c6cbb22501d91 Mon Sep 17 00:00:00 2001
From: Jammerware <ben.s.stein@gmail.com>
Date: Sat, 2 Nov 2019 14:58:07 -0400
Subject: [PATCH] fix(openLinksInNewWindow): add rel="noopener noreferrer" to
 links

Add rel="noreferrer" to links when openLinksInNewWindow is on. Also add noopener when openLinksInNewWindow is on.
target="_blank" without also adding rel="noopener noreferrer" creates a vulnerability
(since the site you're linking to has access to the window.opener by default.
This  adds rel="noopener noreferrer" to links generated by the makeHtml converter when openLinksInNewWindow is true.

Closes #670
---
 dist/showdown.js                              | Bin 159266 -> 159344 bytes
 dist/showdown.js.map                          | Bin 450238 -> 450427 bytes
 dist/showdown.min.js                          | Bin 75596 -> 75674 bytes
 dist/showdown.min.js.map                      | Bin 86981 -> 86981 bytes
 src/subParsers/anchors.js                     |   4 ++--
 src/subParsers/autoLinks.js                   |   2 +-
 ...penLinksInNewWindow-breaks-em-markdup.html |   4 ++--
 .../openLinksInNewWindow/simple-cases.html    |   4 ++--
 .../features/openLinksInNewWindow/simple.html |   4 ++--
 .../simplifiedAutoLink.html                   |   2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/dist/showdown.js b/dist/showdown.js
index bf3bc44c18f0d5b424a8757e6df104b83877f4f7..a7c15ff69898757e99b368ba2de30e4a34356687 100644
GIT binary patch
delta 121
zcmZ2<hx5Z7&W0_FmpmnlQgdvT^78WwQu9)a6!P+mQqxk4ic*V|wqNvQ{Ktx0emYQI
XX8S9D#-D@~wf_rc-2N|=NkswxxwS9{

delta 43
wcmexxhjY;#&W0_FmprE%hA~QSXZK=!#0p}{ZdV9k{Lb1AWNtSMW3rb30C<ZI-2eap

diff --git a/dist/showdown.js.map b/dist/showdown.js.map
index 0502d2c67df6648f8ab80bdd31725b8e2e1041ac..962cbcda68d63285c9d2e5c2f4053547b5aa894a 100644
GIT binary patch
delta 340
zcmdnDSNiup>4p}@Elf3r(;p-<b4`DCmRWLojUkgbQ<m%GkC{^2*Bdfz;Y5?0o@T`)
zKD~~MiEH|KeI}9VAFeX;Pv5}I#5#SRE|bRe4O>8BVoY3<50pqwUm(lEKkXp1$Yg;9
zoZJ0un6x?2Ok*sVe*83(!sL5NoRb|gxlv6MnI7;LXe8V;0aqsF=?a^f;T8x_R+z!k
zKEag<h?#+yW%~qI*7gkPqSPGQ7^S@Y{DRcH)FOqv{G!yf)S{x)q8O#^V(VCA+3=~D
f4pbq(ec~2YSHjAsd+cQuYv<a{x}9q`+ZJU2v{8Dv

delta 219
zcmeypPkP^8>4p}@Elf3rlMn1<oxaYRNr<s*`hjF-)#(P?nYboTa1)sxkjE@HSzrOj
zb_FA*G)}lWrV8ijh0mBor`K^YaZNw3&m=Pa!&OH9=^L1tSf?*o%*;Cdz7aG3^nmY7
z8q*B|nMI}x2(rjcPAK7;zTqLW(Db9P7zHOESi(O!poe?9!*eF1?H_EI&a=afXEdB1
z=)xq{F5t=p#LPg<vR%NHwIFl*oOP@*Y}0|H+;*d_tgaB|^cA~U`P&cdX5D^ZH`{Jy
E0Q}@n7XSbN

diff --git a/dist/showdown.min.js b/dist/showdown.min.js
index cea402a736ac87002eb2f713a049e7f21934559c..f21c30e7d7d9c6c0f67e03d1706c5e7a387e5c45 100644
GIT binary patch
delta 109
zcmX?ej%C()mJQ#QN*1N&*ed1a=NF{rr4}jV<rk%<r4|*X7AZ}3TqCiWci9~#{7N>h
ObYjM>Vzc8K?rH#|4=ZQ@

delta 28
mcmV+%0OS9f&jifQ1hDp{vk<290+SG?7qc{}LIbmqtO|S4qYYjF

diff --git a/dist/showdown.min.js.map b/dist/showdown.min.js.map
index e20c108286a1479a24bea5084eb3645df8f51998..07f509c7b69fb7829405923afef55e041317d0ad 100644
GIT binary patch
delta 33
kcmX@Qob~8()(u)GnX+9r>zw?`2%?owi!gy`%d<Ug0P$rFxc~qF

delta 33
kcmX@Qob~8()(u)GnaZ6u>zw?`2%?owi!gy`%d<Ug0P`&k*8l(j

diff --git a/src/subParsers/anchors.js b/src/subParsers/anchors.js
index 5a39a66..1971c38 100644
--- a/src/subParsers/anchors.js
+++ b/src/subParsers/anchors.js
@@ -48,7 +48,7 @@ showdown.subParser('anchors', function (text, options, globals) {
     // to external links. Hash links (#) open in same page
     if (options.openLinksInNewWindow && !/^#/.test(url)) {
       // escaped _
-      result += ' target="¨E95Eblank"';
+      result += ' rel="noopener noreferrer" target="¨E95Eblank"';
     }
 
     result += '>' + linkText + '</a>';
@@ -87,7 +87,7 @@ showdown.subParser('anchors', function (text, options, globals) {
       var lnk = options.ghMentionsLink.replace(/\{u}/g, username),
           target = '';
       if (options.openLinksInNewWindow) {
-        target = ' target="¨E95Eblank"';
+        target = ' rel="noopener noreferrer" target="¨E95Eblank"';
       }
       return st + '<a href="' + lnk + '"' + target + '>' + mentions + '</a>';
     });
diff --git a/src/subParsers/autoLinks.js b/src/subParsers/autoLinks.js
index f75e97e..fa49b52 100644
--- a/src/subParsers/autoLinks.js
+++ b/src/subParsers/autoLinks.js
@@ -22,7 +22,7 @@ var simpleURLRegex  = /([*~_]+|\b)(((https?|ftp|dict):\/\/|www\.)[^'">\s]+?\.[^'
           append = trailingPunctuation;
         }
         if (options.openLinksInNewWindow) {
-          target = ' target="¨E95Eblank"';
+          target = ' rel="noopener noreferrer" target="¨E95Eblank"';
         }
         return lmc + '<a href="' + link + '"' + target + '>' + lnkTxt + '</a>' + append + tmc;
       };
diff --git a/test/features/#379.openLinksInNewWindow-breaks-em-markdup.html b/test/features/#379.openLinksInNewWindow-breaks-em-markdup.html
index ab837e3..9d22dee 100644
--- a/test/features/#379.openLinksInNewWindow-breaks-em-markdup.html
+++ b/test/features/#379.openLinksInNewWindow-breaks-em-markdup.html
@@ -1,2 +1,2 @@
-<p>My <a href="http://example.com" target="_blank">link</a> is <em>important</em></p>
-<p>My <a href="http://example.com" target="_blank">link</a> is <strong>important</strong></p>
+<p>My <a href="http://example.com" rel="noopener noreferrer" target="_blank">link</a> is <em>important</em></p>
+<p>My <a href="http://example.com" rel="noopener noreferrer" target="_blank">link</a> is <strong>important</strong></p>
diff --git a/test/features/openLinksInNewWindow/simple-cases.html b/test/features/openLinksInNewWindow/simple-cases.html
index c62a155..f20e2af 100644
--- a/test/features/openLinksInNewWindow/simple-cases.html
+++ b/test/features/openLinksInNewWindow/simple-cases.html
@@ -1,2 +1,2 @@
-<p><a href="www.google.com" target="_blank">foo</a></p>
-<p>a link <a href="http://www.google.com" target="_blank">http://www.google.com</a></p>
+<p><a href="www.google.com" rel="noopener noreferrer" target="_blank">foo</a></p>
+<p>a link <a href="http://www.google.com" rel="noopener noreferrer" target="_blank">http://www.google.com</a></p>
diff --git a/test/features/openLinksInNewWindow/simple.html b/test/features/openLinksInNewWindow/simple.html
index c62a155..f20e2af 100644
--- a/test/features/openLinksInNewWindow/simple.html
+++ b/test/features/openLinksInNewWindow/simple.html
@@ -1,2 +1,2 @@
-<p><a href="www.google.com" target="_blank">foo</a></p>
-<p>a link <a href="http://www.google.com" target="_blank">http://www.google.com</a></p>
+<p><a href="www.google.com" rel="noopener noreferrer" target="_blank">foo</a></p>
+<p>a link <a href="http://www.google.com" rel="noopener noreferrer" target="_blank">http://www.google.com</a></p>
diff --git a/test/features/openLinksInNewWindow/simplifiedAutoLink.html b/test/features/openLinksInNewWindow/simplifiedAutoLink.html
index c23bf68..6dff350 100644
--- a/test/features/openLinksInNewWindow/simplifiedAutoLink.html
+++ b/test/features/openLinksInNewWindow/simplifiedAutoLink.html
@@ -1 +1 @@
-<p>this is <a href="http://www.google.com" target="_blank">http://www.google.com</a> autolink</p>
+<p>this is <a href="http://www.google.com" rel="noopener noreferrer" target="_blank">http://www.google.com</a> autolink</p>