fix: add rel option to external links in content (#1853)

* #1853: XSS attack fix by adding rel noferrer or rel noopen to _blank target external links

* fix: relAttributeExternalLink noopener

Co-authored-by: danallendds <daniel.allen@friends.dds.mil>
Co-authored-by: Nicolas Giard <github@ngpixel.com>

server/modules/rendering/html-core/definition.yml

@@ -18,3 +18,12 @@ props:
     title: Open external links in a new tab
     hint: External links will have a _blank target attribute added automatically.
     order: 2
+  relAttributeExternalLink:
+    type: String
+    default: noreferrer
+    title: Protect against XSS when opening _blank target links
+    hint: External links with _blank attribute will have an additional rel attribute.
+    order: 3
+    enum:
+        - noreferrer
+        - noopener

server/modules/rendering/html-core/renderer.js

@@ -115,6 +115,7 @@ module.exports = {
         $(elm).addClass(`is-external-link`)
         if (this.config.openExternalLinkNewTab) {
           $(elm).attr('target', '_blank')
+          $(elm).attr('rel', this.config.relAttributeExternalLink)
         }
       }