Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rel="noopener noreferrer" to links when openLinksInNewWindow is on. #670

Merged
merged 2 commits into from Nov 2, 2019
Merged

Add rel="noopener noreferrer" to links when openLinksInNewWindow is on. #670

merged 2 commits into from Nov 2, 2019

Conversation

jammerware
Copy link
Contributor

Not sure how well this fits in with your goals for the project, but my understanding is that using target="_blank" without also adding rel="noopener noreferrer" creates a vulnerability (since the site you're linking to has access to the window.opener by default. This pull adds rel="noopener noreferrer" to links generated by the makeHtml converter when openLinksInNewWindow is true.

Let me know if I dun goofed or if I can do anything else to help. Thanks for making Showdown!

@jammerware jammerware changed the title Add rel="noreferrer" to links when openLinksInNewWindow is on. Add rel="noopener noreferrer" to links when openLinksInNewWindow is on. Mar 10, 2019
@dimadk24
Copy link

You can read more about such vulnerability here: https://mathiasbynens.github.io/rel-noopener/

@tivie tivie merged commit caab5bb into showdownjs:master Nov 2, 2019
@tivie
Copy link
Member

tivie commented Nov 2, 2019

Thank you

tivie pushed a commit that referenced this pull request Nov 2, 2019
@jammerware @tivie
fix(openLinksInNewWindow): add rel="noopener noreferrer" to links
1cd281f 
Add rel="noreferrer" to links when openLinksInNewWindow is on. Also add noopener when openLinksInNewWindow is on.
target="_blank" without also adding rel="noopener noreferrer" creates a vulnerability
(since the site you're linking to has access to the window.opener by default.
This  adds rel="noopener noreferrer" to links generated by the makeHtml converter when openLinksInNewWindow is true.

Closes #670
@snyk-bot snyk-bot mentioned this pull request Jan 24, 2020
Open
This was referenced Mar 9, 2020
Open
Open
@mend-for-github-com mend-for-github-com bot mentioned this pull request May 13, 2020
Open
@omicron-b omicron-b mentioned this pull request May 21, 2020
Open
@dependabot dependabot bot mentioned this pull request Mar 16, 2021
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Mar 31, 2021
Open
@ioanaghews ioanaghews bot mentioned this pull request Feb 8, 2022
Open
@cedricr cedricr mentioned this pull request Feb 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jammerware @dimadk24 @tivie