From 4aa7828a9212a9f6907b4aace18065e8f7c09be2 Mon Sep 17 00:00:00 2001
From: daneallen <dan@dansdiversion.com>
Date: Thu, 7 May 2020 16:45:11 -0400
Subject: [PATCH] fix: add rel option to external links in content (#1853)

* #1853: XSS attack fix by adding rel noferrer or rel noopen to _blank target external links

* fix: relAttributeExternalLink noopener

Co-authored-by: danallendds <daniel.allen@friends.dds.mil>
Co-authored-by: Nicolas Giard <github@ngpixel.com>
---
 server/modules/rendering/html-core/definition.yml  | 9 +++++++++
 server/modules/rendering/html-core/renderer.js     | 1 +
 server/modules/rendering/html-security/renderer.js | 2 +-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/server/modules/rendering/html-core/definition.yml b/server/modules/rendering/html-core/definition.yml
index c11da260..2fe4783c 100644
--- a/server/modules/rendering/html-core/definition.yml
+++ b/server/modules/rendering/html-core/definition.yml
@@ -18,3 +18,12 @@ props:
     title: Open external links in a new tab
     hint: External links will have a _blank target attribute added automatically.
     order: 2
+  relAttributeExternalLink:
+    type: String
+    default: noreferrer
+    title: Protect against XSS when opening _blank target links
+    hint: External links with _blank attribute will have an additional rel attribute.
+    order: 3
+    enum:
+        - noreferrer
+        - noopener
diff --git a/server/modules/rendering/html-core/renderer.js b/server/modules/rendering/html-core/renderer.js
index 55cb4318..50c2947f 100644
--- a/server/modules/rendering/html-core/renderer.js
+++ b/server/modules/rendering/html-core/renderer.js
@@ -115,6 +115,7 @@ module.exports = {
         $(elm).addClass(`is-external-link`)
         if (this.config.openExternalLinkNewTab) {
           $(elm).attr('target', '_blank')
+          $(elm).attr('rel', this.config.relAttributeExternalLink)
         }
       }
 
diff --git a/server/modules/rendering/html-security/renderer.js b/server/modules/rendering/html-security/renderer.js
index 4e40e654..21d44fef 100644
--- a/server/modules/rendering/html-security/renderer.js
+++ b/server/modules/rendering/html-security/renderer.js
@@ -6,7 +6,7 @@ module.exports = {
       input = xss(input, {
         whiteList: {
           ...xss.whiteList,
-          a: ['class', 'id', 'href', 'style', 'target', 'title'],
+          a: ['class', 'id', 'href', 'style', 'target', 'title', 'rel'],
           blockquote: ['class', 'id', 'style'],
           code: ['class', 'style'],
           details: ['class', 'style'],