fix: add rel option to external links in content (#1853)

* #1853: XSS attack fix by adding rel noferrer or rel noopen to _blank target external links

* fix: relAttributeExternalLink noopener

Co-authored-by: danallendds <daniel.allen@friends.dds.mil>
Co-authored-by: Nicolas Giard <github@ngpixel.com>

server/modules/rendering/html-core/definition.yml

@@ -18,3 +18,12 @@ props:
     title: Open external links in a new tab
     hint: External links will have a _blank target attribute added automatically.
     order: 2
+  relAttributeExternalLink:
+    type: String
+    default: noreferrer
+    title: Protect against XSS when opening _blank target links
+    hint: External links with _blank attribute will have an additional rel attribute.
+    order: 3
+    enum:
+        - noreferrer
+        - noopener

server/modules/rendering/html-core/renderer.js

@@ -115,6 +115,7 @@ module.exports = {
         $(elm).addClass(`is-external-link`)
         if (this.config.openExternalLinkNewTab) {
           $(elm).attr('target', '_blank')
+          $(elm).attr('rel', this.config.relAttributeExternalLink)
         }
       }
 

server/modules/rendering/html-security/renderer.js

@@ -6,7 +6,7 @@ module.exports = {
       input = xss(input, {
         whiteList: {
           ...xss.whiteList,
-          a: ['class', 'id', 'href', 'style', 'target', 'title'],
+          a: ['class', 'id', 'href', 'style', 'target', 'title', 'rel'],
           blockquote: ['class', 'id', 'style'],
           code: ['class', 'style'],
           details: ['class', 'style'],