fix: add rel option to external links in content (#1853)

* #1853: XSS attack fix by adding rel noferrer or rel noopen to _blank target external links

* fix: relAttributeExternalLink noopener

Co-authored-by: danallendds <daniel.allen@friends.dds.mil>
Co-authored-by: Nicolas Giard <github@ngpixel.com>
This commit is contained in:
daneallen 2020-05-07 16:45:11 -04:00 committed by GitHub
parent 6624df2c63
commit 4aa7828a92
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 1 deletions

View File

@ -18,3 +18,12 @@ props:
title: Open external links in a new tab
hint: External links will have a _blank target attribute added automatically.
order: 2
relAttributeExternalLink:
type: String
default: noreferrer
title: Protect against XSS when opening _blank target links
hint: External links with _blank attribute will have an additional rel attribute.
order: 3
enum:
- noreferrer
- noopener

View File

@ -115,6 +115,7 @@ module.exports = {
$(elm).addClass(`is-external-link`)
if (this.config.openExternalLinkNewTab) {
$(elm).attr('target', '_blank')
$(elm).attr('rel', this.config.relAttributeExternalLink)
}
}

View File

@ -6,7 +6,7 @@ module.exports = {
input = xss(input, {
whiteList: {
...xss.whiteList,
a: ['class', 'id', 'href', 'style', 'target', 'title'],
a: ['class', 'id', 'href', 'style', 'target', 'title', 'rel'],
blockquote: ['class', 'id', 'style'],
code: ['class', 'style'],
details: ['class', 'style'],