From b2f7b586e1564e43062483eff9fa8111bbc80e32 Mon Sep 17 00:00:00 2001
From: Daniel W <daniel.waller@walled.de>
Date: Sat, 6 Jul 2019 21:10:35 +0200
Subject: [PATCH] Fix tab nabbing vulnerability in formatted links

- Add attribute rel="noopener noreferrer"
  to <a> tags created by formats/link.js
- Make unit tests for links expect rel
  attribute
---
 formats/link.js           |  1 +
 test/unit/formats/link.js | 10 +++++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/formats/link.js b/formats/link.js
index 323241df17..f67356553a 100644
--- a/formats/link.js
+++ b/formats/link.js
@@ -4,6 +4,7 @@ class Link extends Inline {
   static create(value) {
     const node = super.create(value);
     node.setAttribute('href', this.sanitize(value));
+    node.setAttribute('rel', 'noopener noreferrer');
     node.setAttribute('target', '_blank');
     return node;
   }
diff --git a/test/unit/formats/link.js b/test/unit/formats/link.js
index 8d09d33f81..4197d1b9a0 100644
--- a/test/unit/formats/link.js
+++ b/test/unit/formats/link.js
@@ -13,7 +13,7 @@ describe('Link', function() {
         .insert('3\n'),
     );
     expect(editor.scroll.domNode).toEqualHTML(
-      '<p>0<a href="https://quilljs.com" target="_blank">12</a>3</p>',
+      '<p>0<a href="https://quilljs.com" target="_blank" rel="noopener noreferrer">12</a>3</p>',
     );
   });
 
@@ -38,14 +38,14 @@ describe('Link', function() {
         .insert('3\n'),
     );
     expect(editor.scroll.domNode).toEqualHTML(
-      '<p>0<a href="about:blank" target="_blank">12</a>3</p>',
+      '<p>0<a href="about:blank" target="_blank" rel="noopener noreferrer">12</a>3</p>',
     );
   });
 
   it('change', function() {
     const editor = this.initialize(
       Editor,
-      '<p>0<a href="https://github.com" target="_blank">12</a>3</p>',
+      '<p>0<a href="https://github.com" target="_blank" rel="noopener noreferrer">12</a>3</p>',
     );
     editor.formatText(1, 2, { link: 'https://quilljs.com' });
     expect(editor.getDelta()).toEqual(
@@ -55,14 +55,14 @@ describe('Link', function() {
         .insert('3\n'),
     );
     expect(editor.scroll.domNode).toEqualHTML(
-      '<p>0<a href="https://quilljs.com" target="_blank">12</a>3</p>',
+      '<p>0<a href="https://quilljs.com" target="_blank" rel="noopener noreferrer">12</a>3</p>',
     );
   });
 
   it('remove', function() {
     const editor = this.initialize(
       Editor,
-      '<p>0<a class="ql-size-large" href="https://quilljs.com" target="_blank">12</a>3</p>',
+      '<p>0<a class="ql-size-large" href="https://quilljs.com" target="_blank" rel="noopener noreferrer">12</a>3</p>',
     );
     editor.formatText(1, 2, { link: false });
     const delta = new Delta()