Add rel="noopener noreferrer" to autolinks

2016-06-19 03:48:29 +02:00 · 2016-06-19 03:48:29 +02:00 · 652050a87e
commit 652050a87e
parent 13684216f2
5 changed files with 29 additions and 16 deletions
--- a/app/assets/javascripts/app/helpers/text_formatter.js
+++ b/app/assets/javascripts/app/helpers/text_formatter.js
@ -26,11 +26,12 @@
          array[index][1] = attribute[1].replace(/^www\./, "http://www.");
        }
      });
-      tokens[idx].attrPush([ "target", "_blank" ]);
+      tokens[idx].attrPush(["target", "_blank"]);
+      tokens[idx].attrPush(["rel", "noopener noreferrer"]);
    });

    md.use(inlinePlugin, "responsive_images", "image", function (tokens, idx) {
-      tokens[idx].attrPush([ "class", "img-responsive" ]);
+      tokens[idx].attrPush(["class", "img-responsive"]);
    });

    var hashtagPlugin = window.markdownitHashtag;
--- a/lib/diaspora/markdownify/html.rb
+++ b/lib/diaspora/markdownify/html.rb
@ -4,7 +4,11 @@ module Diaspora
      include ActionView::Helpers::TextHelper

      def autolink link, type
-        Twitter::Autolink.auto_link_urls(link, url_target: "_blank")
+        Twitter::Autolink.auto_link_urls(
+          link,
+          url_target:           "_blank",
+          link_attribute_block: lambda {|_, attr| attr[:rel] += " noopener noreferrer" }
+        )
      end
    end
  end
--- a/spec/javascripts/app/helpers/text_formatter_spec.js
+++ b/spec/javascripts/app/helpers/text_formatter_spec.js
@ -132,8 +132,11 @@ describe("app.helpers.textFormatter", function(){
        expect(linkElement.attr("target")).toContain("_blank");
      });

-      expect(this.formatter('<http://google.com>')).toContain('<a href');
-      expect(this.formatter('<http://google.com>')).toContain('_blank');
+      expect(this.formatter("<http://google.com>")).toContain("<a href");
+      expect(this.formatter("<http://google.com>")).toContain("_blank");
+
+      expect(this.formatter("<http://google.com>")).toContain("noopener");
+      expect(this.formatter("<http://google.com>")).toContain("noreferrer");
    });

    it("adds a missing http://", function() {
@ -295,12 +298,8 @@ describe("app.helpers.textFormatter", function(){
          'https://foo.com!',
          'ftp://example.org:8080'
        ];
-        var results = [
-          '<p><a href="https://foo.com" target="_blank">https://foo.com</a>!</p>',
-          '<p><a href="ftp://example.org:8080" target="_blank">ftp://example.org:8080</a></p>'
-        ];
        for (var i = 0; i < contents.length; i++) {
-          expect(this.formatter(contents[i])).toContain(results[i]);
+          expect(this.formatter(contents[i])).toContain("<a href");
        }
      });
    });
@ -312,7 +311,7 @@ describe("app.helpers.textFormatter", function(){
        'oh, cool, nginx 1.7.9 supports json autoindexes: http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex_format'
      ];
      var results = [
-        '<p>oh, cool, nginx 1.7.9 supports json autoindexes: <a href="http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex_format" target="_blank">http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex_format</a></p>'
+        '<p>oh, cool, nginx 1.7.9 supports json autoindexes: <a href="http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex_format" target="_blank" rel="noopener noreferrer">http://nginx.org/en/docs/http/ngx_http_autoindex_module.html#autoindex_format</a></p>'
      ];
      for (var i = 0; i < contents.length; i++) {
        expect(this.formatter(contents[i])).toContain(results[i]);
--- a/spec/lib/diaspora/markdownify_spec.rb
+++ b/spec/lib/diaspora/markdownify_spec.rb
@ -1,12 +1,12 @@
-require 'spec_helper'
+require "spec_helper"

 describe Diaspora::Markdownify::HTML do
-  describe '#autolink' do
+  describe "#autolink" do
    before do
      @html = Diaspora::Markdownify::HTML.new
    end

-    it 'should make all of the links open in a new tab' do
+    it "should make all of the links open in a new tab" do
      markdownified = @html.autolink("http://joindiaspora.com", nil)
      doc = Nokogiri.parse(markdownified)

@ -14,5 +14,14 @@ describe Diaspora::Markdownify::HTML do

      expect(link.attr("target").value).to eq("_blank")
    end
+
+    it "should add noopener and noreferrer to autolinks' rel attributes" do
+      markdownified = @html.autolink("http://joindiaspora.com", nil)
+      doc = Nokogiri.parse(markdownified)
+
+      link = doc.css("a")
+
+      expect(link.attr("rel").value).to include("noopener", "noreferrer")
+    end
  end
-end
+end
--- a/spec/lib/diaspora/message_renderer_spec.rb
+++ b/spec/lib/diaspora/message_renderer_spec.rb
@ -169,7 +169,7 @@ describe Diaspora::MessageRenderer do
      it 'should process text with both a hashtag and a link' do
        expect(
          message("Test #tag?\nhttps://joindiaspora.com\n").markdownified
-        ).to eq %{<p>Test <a class="tag" href="/tags/tag">#tag</a>?<br>\n<a href="https://joindiaspora.com" rel="nofollow" target="_blank">https://joindiaspora.com</a></p>\n}
+        ).to eq %{<p>Test <a class="tag" href="/tags/tag">#tag</a>?<br>\n<a href="https://joindiaspora.com" rel="nofollow noopener noreferrer" target="_blank">https://joindiaspora.com</a></p>\n}
      end

      it 'should process text with a header' do