Use `rel=noopener` with links that contain `target=_blank`...

to prevent potential phishing attacks. More info here: https://mathiasbynens.github.io/rel-noopener

Use `rel=noopener` with links that contain `target=_blank`...
to prevent potential phishing attacks. More info here: https://mathiasbynens.github.io/rel-noopener
df99fa8c · JC Brand · 4f8c46c4 · df99fa8c · df99fa8c · df99fa8c
Commit df99fa8c authored Mar 16, 2016 by JC Brand
5 changed files
--- a/docs/CHANGES.md
+++ b/docs/CHANGES.md
@@ -7,6 +7,8 @@
  encrypted session. [jcbrand]
 - Bugfix: RID, SID and JID tokens ignored when `keepalive` set to `true`. [jcbrand]
 - Removed the `account.logout` API, instead use `user.logout`. [jcbrand]
+- Use `rel=noopener` with links that contain `target=_blank` to prevent potential phishing attacks.
+  [More info here](https://mathiasbynens.github.io/rel-noopener/) [jcbrand]
 - #261 `show_controlbox_by_default` config not working [diditopher]
 - #443 HTML5 notifications of received messages [jcbrand]
 - #534 Updated Russian translation [badfiles]

--- a/src/templates/chatbox.html
+++ b/src/templates/chatbox.html
@@ -7,7 +7,7 @@
        <a class="chatbox-btn toggle-chatbox-button icon-minus" title="{{info_minimize}}"></a>
        <div class="chat-title">
            {[ if (url) { ]}
-                <a href="{{url}}" target="_blank" class="user">
+                <a href="{{url}}" target="_blank" rel="noopener" class="user">
            {[ } ]}
                    {{ title }}
            {[ if (url) { ]}

--- a/src/templates/register_panel.html
+++ b/src/templates/register_panel.html
@@ -2,6 +2,6 @@
    <span class="reg-feedback"></span>
    <label>{{label_domain}}</label>
    <input type="text" name="domain" placeholder="{{domain_placeholder}}">
-    <p class="form-help">{{help_providers}} <a href="{{href_providers}}" class="url" target="_blank">{{help_providers_link}}</a>.</p>
+    <p class="form-help">{{help_providers}} <a href="{{href_providers}}" class="url" target="_blank" rel="noopener">{{help_providers_link}}</a>.</p>
    <input class="pure-button button-primary" type="submit" value="{{label_register}}">
 </form>
--- a/src/templates/toolbar_otr.html
+++ b/src/templates/toolbar_otr.html
@@ -25,7 +25,7 @@
            {[ if (otr_status == UNVERIFIED) { ]}
               <li><a class="auth-otr" data-scheme="fingerprint" href="#">{{label_verify_with_fingerprints}}</a></li>
            {[ } ]}
-            <li><a href="http://www.cypherpunks.ca/otr/help/3.2.0/levels.php" target="_blank">{{label_whats_this}}</a></li>
+            <li><a href="http://www.cypherpunks.ca/otr/help/3.2.0/levels.php" target="_blank" rel="noopener">{{label_whats_this}}</a></li>
        </ul>
    </li>
 {[ } ]}
--- a/src/utils.js
+++ b/src/utils.js
@@ -43,7 +43,7 @@
                    for (i=0; i<list.length; i++) {
                        var prot = list[i].indexOf('http://') === 0 || list[i].indexOf('https://') === 0 ? '' : 'http://';
                        var escaped_url = encodeURI(decodeURI(list[i])).replace(/[!'()]/g, escape).replace(/\*/g, "%2A");
-                        x = x.replace(list[i], "<a target='_blank' href='" + prot + escaped_url + "'>"+ list[i] + "</a>" );
+                        x = x.replace(list[i], '<a target="_blank" rel="noopener" href="' + prot + escaped_url + '">'+ list[i] + '</a>' );
                    }
                }
                $(obj).html(x);