From 2a3b0e85ea747e6bd4502931b270d85333465e4d Mon Sep 17 00:00:00 2001
From: Matthew Hodgson <matthew@matrix.org>
Date: Mon, 15 Aug 2016 21:37:26 +0100
Subject: [PATCH] add rel='noopener' wherever we do target='_blank' because
 https://mathiasbynens.github.io/rel-noopener/

---
 src/HtmlUtils.js                                | 5 +++--
 src/components/views/messages/MFileBody.js      | 2 +-
 src/components/views/messages/MImageBody.js     | 2 +-
 src/components/views/rooms/LinkPreviewWidget.js | 2 +-
 src/linkify-matrix.js                           | 4 ++++
 5 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/HtmlUtils.js b/src/HtmlUtils.js
index c0792e6d14..6a8d903df8 100644
--- a/src/HtmlUtils.js
+++ b/src/HtmlUtils.js
@@ -69,7 +69,7 @@ var sanitizeHtmlParams = {
     allowedAttributes: {
         // custom ones first:
         font: [ 'color' ], // custom to matrix
-        a: [ 'href', 'name', 'target' ], // remote target: custom to matrix
+        a: [ 'href', 'name', 'target', 'rel' ], // remote target: custom to matrix
         // We don't currently allow img itself by default, but this
         // would make sense if we did
         img: [ 'src' ],
@@ -81,7 +81,7 @@ var sanitizeHtmlParams = {
     allowedSchemesByTag: {
         img: [ 'data' ],
     },
-    
+
     transformTags: { // custom to matrix
         // add blank targets to all hyperlinks except vector URLs
         'a': function(tagName, attribs) {
@@ -92,6 +92,7 @@ var sanitizeHtmlParams = {
             else {
                 attribs.target = '_blank';
             }
+            attribs.rel = 'noopener'; // https://mathiasbynens.github.io/rel-noopener/
             return { tagName: tagName, attribs : attribs };
         },
     },
diff --git a/src/components/views/messages/MFileBody.js b/src/components/views/messages/MFileBody.js
index 2f416daf95..dbad084024 100644
--- a/src/components/views/messages/MFileBody.js
+++ b/src/components/views/messages/MFileBody.js
@@ -60,7 +60,7 @@ module.exports = React.createClass({
             return (
                 <span className="mx_MFileBody">
                     <div className="mx_MImageBody_download">
-                        <a href={cli.mxcUrlToHttp(content.url)} target="_blank">
+                        <a href={cli.mxcUrlToHttp(content.url)} target="_blank" rel="noopener">
                             <TintableSvg src="img/download.svg" width="12" height="14"/>
                             Download {text}
                         </a>
diff --git a/src/components/views/messages/MImageBody.js b/src/components/views/messages/MImageBody.js
index 13f9cf4c19..ec594af2ce 100644
--- a/src/components/views/messages/MImageBody.js
+++ b/src/components/views/messages/MImageBody.js
@@ -134,7 +134,7 @@ module.exports = React.createClass({
                             onMouseLeave={this.onImageLeave} />
                     </a>
                     <div className="mx_MImageBody_download">
-                        <a href={cli.mxcUrlToHttp(content.url)} target="_blank">
+                        <a href={cli.mxcUrlToHttp(content.url)} target="_blank" rel="noopener">
                             <TintableSvg src="img/download.svg" width="12" height="14"/>
                             Download {content.body} ({ content.info && content.info.size ? filesize(content.info.size) : "Unknown size" })
                         </a>
diff --git a/src/components/views/rooms/LinkPreviewWidget.js b/src/components/views/rooms/LinkPreviewWidget.js
index ba438c1d12..60f4f8abc0 100644
--- a/src/components/views/rooms/LinkPreviewWidget.js
+++ b/src/components/views/rooms/LinkPreviewWidget.js
@@ -123,7 +123,7 @@ module.exports = React.createClass({
             <div className="mx_LinkPreviewWidget" >
                 { img }
                 <div className="mx_LinkPreviewWidget_caption">
-                    <div className="mx_LinkPreviewWidget_title"><a href={ this.props.link } target="_blank">{ p["og:title"] }</a></div>
+                    <div className="mx_LinkPreviewWidget_title"><a href={ this.props.link } target="_blank" rel="noopener">{ p["og:title"] }</a></div>
                     <div className="mx_LinkPreviewWidget_siteName">{ p["og:site_name"] ? (" - " + p["og:site_name"]) : null }</div>
                     <div className="mx_LinkPreviewWidget_description" ref="description">
                         { p["og:description"] }
diff --git a/src/linkify-matrix.js b/src/linkify-matrix.js
index a12ef8eaf5..99b7ee5c33 100644
--- a/src/linkify-matrix.js
+++ b/src/linkify-matrix.js
@@ -137,6 +137,10 @@ matrixLinkify.options = {
         }
     },
 
+    linkAttributes: {
+        rel: 'noopener',
+    },
+
     target: function(href, type) {
         if (type === 'url') {
             if (href.match(matrixLinkify.VECTOR_URL_PATTERN)) {