I was hoping to have some code in place to prevent phishing attacks, by adding rel="noopener and noreferrer" when adding target="_blank".
I'm not exactly an amazing javascript developer, but I figured submitting a patch is probably better than not submitting one, so here's hoping this isn't awful.

It shouldn't override any other rel values already set by the user.

Edit: It occurred to me that I should probably add an explanation and example.

Explanation

Benign example

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

kulonlz created an issue. See original summary.

kulonlz’s picture

FileSize
1.24 KB
kulonlz’s picture

Issue summary: View changes

  • elachlan committed b78a761 on 7.x-1.x authored by kulonlz
    Issue #2792603 by kulonlz: Add security measures for target="_blank"
    
elachlan’s picture

Status: Active » Fixed

Thanks for the patch, the example was very helpful.

elachlan’s picture

Status: Fixed » Patch (to be ported)

Could you also do a patch up for 8.x?

kulonlz’s picture

Sure thing. :-)

kulonlz’s picture

Should be better naming convention for this one.

kulonlz’s picture

Is there a reason this (see code below) is added twice for 8.x? Also, would you prefer a separate issue for the 8.x patch?

if(drupalSettings.data.extlink.extTarget)

elachlan’s picture

You can create a separate issue if you wish.

Normally we do changes to the newest version (8.x) first then backport it.

kulonlz’s picture

Will do. Thank you for taking the time to answer me.

In my defense, that was the newest version at the time. :-)

elachlan’s picture

Status: Patch (to be ported) » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.