add rel='noopener' wherever we do target='_blank' because https://mathiasbynens.github.io/rel-noopener/

This commit is contained in:
Matthew Hodgson 2016-08-15 21:37:26 +01:00
parent a94d415106
commit 2a3b0e85ea
5 changed files with 10 additions and 5 deletions

View file

@ -69,7 +69,7 @@ var sanitizeHtmlParams = {
allowedAttributes: {
// custom ones first:
font: [ 'color' ], // custom to matrix
a: [ 'href', 'name', 'target' ], // remote target: custom to matrix
a: [ 'href', 'name', 'target', 'rel' ], // remote target: custom to matrix
// We don't currently allow img itself by default, but this
// would make sense if we did
img: [ 'src' ],
@ -92,6 +92,7 @@ var sanitizeHtmlParams = {
else {
attribs.target = '_blank';
}
attribs.rel = 'noopener'; // https://mathiasbynens.github.io/rel-noopener/
return { tagName: tagName, attribs : attribs };
},
},

View file

@ -60,7 +60,7 @@ module.exports = React.createClass({
return (
<span className="mx_MFileBody">
<div className="mx_MImageBody_download">
<a href={cli.mxcUrlToHttp(content.url)} target="_blank">
<a href={cli.mxcUrlToHttp(content.url)} target="_blank" rel="noopener">
<TintableSvg src="img/download.svg" width="12" height="14"/>
Download {text}
</a>

View file

@ -134,7 +134,7 @@ module.exports = React.createClass({
onMouseLeave={this.onImageLeave} />
</a>
<div className="mx_MImageBody_download">
<a href={cli.mxcUrlToHttp(content.url)} target="_blank">
<a href={cli.mxcUrlToHttp(content.url)} target="_blank" rel="noopener">
<TintableSvg src="img/download.svg" width="12" height="14"/>
Download {content.body} ({ content.info && content.info.size ? filesize(content.info.size) : "Unknown size" })
</a>

View file

@ -123,7 +123,7 @@ module.exports = React.createClass({
<div className="mx_LinkPreviewWidget" >
{ img }
<div className="mx_LinkPreviewWidget_caption">
<div className="mx_LinkPreviewWidget_title"><a href={ this.props.link } target="_blank">{ p["og:title"] }</a></div>
<div className="mx_LinkPreviewWidget_title"><a href={ this.props.link } target="_blank" rel="noopener">{ p["og:title"] }</a></div>
<div className="mx_LinkPreviewWidget_siteName">{ p["og:site_name"] ? (" - " + p["og:site_name"]) : null }</div>
<div className="mx_LinkPreviewWidget_description" ref="description">
{ p["og:description"] }

View file

@ -137,6 +137,10 @@ matrixLinkify.options = {
}
},
linkAttributes: {
rel: 'noopener',
},
target: function(href, type) {
if (type === 'url') {
if (href.match(matrixLinkify.VECTOR_URL_PATTERN)) {