From 632c5e3629c2432371bb6339ad883208bff64ac2 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Mon, 19 Mar 2018 18:30:28 +0100
Subject: [PATCH] More secure target blank links

---
 .../video-abuse-list.component.html           |  4 ++--
 client/src/app/shared/misc/help.component.ts  |  3 ++-
 .../comment/video-comment.component.html      |  2 +-
 .../comment/video-comment.component.ts        |  3 ++-
 .../+video-watch/video-watch.component.html   |  2 +-
 .../src/app/videos/shared/markdown.service.ts | 19 ++++++++++---------
 6 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html b/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html
index fcbdc6147..13a5b1117 100644
--- a/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html
+++ b/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html
@@ -19,13 +19,13 @@
     <tr>
       <td>{{ videoAbuse.reason }}</td>
       <td>
-        <a [href]="videoAbuse.reporterAccount.url" title="Go to the account" target="_blank">
+        <a [href]="videoAbuse.reporterAccount.url" title="Go to the account" target="_blank" rel="noopener noreferrer">
           {{ createByString(videoAbuse.reporterAccount) }}
         </a>
       </td>
       <td>{{ videoAbuse.createdAt }}</td>
       <td>
-        <a [href]="videoAbuse.video.url" title="Go to the video" target="_blank">
+        <a [href]="videoAbuse.video.url" title="Go to the video" target="_blank" rel="noopener noreferrer">
           {{ videoAbuse.video.name }}
         </a>
       </td>
diff --git a/client/src/app/shared/misc/help.component.ts b/client/src/app/shared/misc/help.component.ts
index a4a223cd6..19ac38b58 100644
--- a/client/src/app/shared/misc/help.component.ts
+++ b/client/src/app/shared/misc/help.component.ts
@@ -46,7 +46,8 @@ export class HelpComponent implements OnInit {
   }
 
   private formatMarkdownSupport (rules: string[]) {
-    return '<a href="https://en.wikipedia.org/wiki/Markdown#Example" target="_blank">Markdown</a> compatible that supports:' +
+    return '<a href="https://en.wikipedia.org/wiki/Markdown#Example" target="_blank" rel="noopener noreferrer">Markdown</a> ' +
+      'compatible that supports:' +
       this.createMarkdownList(rules)
   }
 
diff --git a/client/src/app/videos/+video-watch/comment/video-comment.component.html b/client/src/app/videos/+video-watch/comment/video-comment.component.html
index 831ea0521..8a649e88f 100644
--- a/client/src/app/videos/+video-watch/comment/video-comment.component.html
+++ b/client/src/app/videos/+video-watch/comment/video-comment.component.html
@@ -5,7 +5,7 @@
     <div *ngIf="highlightedComment === true" class="highlighted-comment">Highlighted comment</div>
 
     <div class="comment-account-date">
-      <a target="_blank" [href]="comment.account.url" class="comment-account">{{ comment.by }}</a>
+      <a [href]="comment.account.url"  target="_blank" rel="noopener noreferrer" class="comment-account">{{ comment.by }}</a>
       <a [routerLink]="['/videos/watch', video.uuid, { 'threadId': comment.threadId }]" class="comment-date">{{ comment.createdAt | myFromNow }}</a>
     </div>
     <div class="comment-html" [innerHTML]="sanitizedCommentHTML"></div>
diff --git a/client/src/app/videos/+video-watch/comment/video-comment.component.ts b/client/src/app/videos/+video-watch/comment/video-comment.component.ts
index cfcefed83..26fc9d0b8 100644
--- a/client/src/app/videos/+video-watch/comment/video-comment.component.ts
+++ b/client/src/app/videos/+video-watch/comment/video-comment.component.ts
@@ -107,7 +107,8 @@ export class VideoCommentComponent implements OnInit, OnChanges {
           return {
             tagName,
             attribs: Object.assign(attribs, {
-              target: '_blank'
+              target: '_blank',
+              rel: 'noopener noreferrer'
             })
           }
         }
diff --git a/client/src/app/videos/+video-watch/video-watch.component.html b/client/src/app/videos/+video-watch/video-watch.component.html
index 6a7da0614..6c7fc08e1 100644
--- a/client/src/app/videos/+video-watch/video-watch.component.html
+++ b/client/src/app/videos/+video-watch/video-watch.component.html
@@ -183,7 +183,7 @@
     <strong>Friendly Reminder:</strong>
     <div class="privacy-concerns-text">
       The sharing system used by this video implies that some technical information about your system (such as a public IP address) can be accessed publicly.
-      <a title="Get more information" target="_blank" href="/about#p2p-privacy">More information</a>
+      <a title="Get more information" target="_blank" rel="noopener noreferrer" href="/about#p2p-privacy">More information</a>
     </div>
 
     <div class="privacy-concerns-okay" (click)="acceptedPrivacyConcern()">
diff --git a/client/src/app/videos/shared/markdown.service.ts b/client/src/app/videos/shared/markdown.service.ts
index 9d73efa46..dd8ff20d8 100644
--- a/client/src/app/videos/shared/markdown.service.ts
+++ b/client/src/app/videos/shared/markdown.service.ts
@@ -52,18 +52,19 @@ export class MarkdownService {
       return self.renderToken(tokens, idx, options)
     }
 
-    markdownIt.renderer.rules.link_open = function (tokens, idx, options, env, self) {
-      // If you are sure other plugins can't add `target` - drop check below
-      const aIndex = tokens[idx].attrIndex('target')
+    markdownIt.renderer.rules.link_open = function (tokens, index, options, env, self) {
+      const token = tokens[index]
 
-      if (aIndex < 0) {
-        tokens[idx].attrPush(['target', '_blank']) // add new attribute
-      } else {
-        tokens[idx].attrs[aIndex][1] = '_blank'    // replace value of existing attr
-      }
+      const targetIndex = token.attrIndex('target')
+      if (targetIndex < 0) token.attrPush([ 'target', '_blank' ])
+      else token.attrs[targetIndex][1] = '_blank'
+
+      const relIndex = token.attrIndex('rel')
+      if (relIndex < 0) token.attrPush([ 'rel', 'noopener noreferrer' ])
+      else token.attrs[relIndex][1] = 'noopener noreferrer'
 
       // pass token to default renderer.
-      return defaultRender(tokens, idx, options, env, self)
+      return defaultRender(tokens, index, options, env, self)
     }
   }
 
-- 
2.41.0