From 1c8c208acf35d7cb8f93457efc76cf0259ccd171 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Thu, 11 Jun 2020 14:29:37 +0200
Subject: [PATCH] Add rel noopener noreferrer to all none local links with
 target blank.

---
 hypha/apply/funds/templates/funds/application_base.html      | 2 +-
 .../templates/stream_forms/includes/file_field.html          | 2 +-
 hypha/apply/templates/forms/includes/field.html              | 2 +-
 .../javascript/apply/application-form-links-new-window.js    | 5 ++++-
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/hypha/apply/funds/templates/funds/application_base.html b/hypha/apply/funds/templates/funds/application_base.html
index 32b43e12a..37664fc00 100644
--- a/hypha/apply/funds/templates/funds/application_base.html
+++ b/hypha/apply/funds/templates/funds/application_base.html
@@ -32,7 +32,7 @@
         <h3>{% blocktrans %}Sorry this {{ page|verbose_name }} is not accepting applications at the moment{% endblocktrans %}</h3>
     {% else%}
         {% if page.get_parent.specific.guide_link %}
-            <a href="{{ page.get_parent.specific.guide_link }}" class="link link--fixed-apply" target="_blank">
+            <a href="{{ page.get_parent.specific.guide_link }}" class="link link--fixed-apply" target="_blank" rel="noopener noreferrer">
                 {% trans "Application guide" %}
             </a>
         {% endif %}
diff --git a/hypha/apply/stream_forms/templates/stream_forms/includes/file_field.html b/hypha/apply/stream_forms/templates/stream_forms/includes/file_field.html
index 79079bf27..be1213532 100644
--- a/hypha/apply/stream_forms/templates/stream_forms/includes/file_field.html
+++ b/hypha/apply/stream_forms/templates/stream_forms/includes/file_field.html
@@ -1,4 +1,4 @@
-<a class="link link--download" href="{{ file.url }}" target="_blank">
+<a class="link link--download" href="{{ file.url }}" target="_blank" rel="noopener noreferrer">
     <div>
         <svg><use xlink:href="#file"></use></svg>
         <span>{{ file.filename }}</span>
diff --git a/hypha/apply/templates/forms/includes/field.html b/hypha/apply/templates/forms/includes/field.html
index 26fae3c76..4fd4a8304 100644
--- a/hypha/apply/templates/forms/includes/field.html
+++ b/hypha/apply/templates/forms/includes/field.html
@@ -25,7 +25,7 @@
     {% endif %}
 
     {% if field.field.help_link %}
-        <p class="form__help-link"><a href="{{ field.field.help_link }}" target="_blank">See help guide for more information.<svg class="form__open-icon"><use xlink:href="#open-in-new-tab"></use></svg></a></p>
+        <p class="form__help-link"><a href="{{ field.field.help_link }}" target="_blank" rel="noopener noreferrer">See help guide for more information.<svg class="form__open-icon"><use xlink:href="#open-in-new-tab"></use></svg></a></p>
     {% endif %}
 
     <div class="form__item">
diff --git a/hypha/static_src/src/javascript/apply/application-form-links-new-window.js b/hypha/static_src/src/javascript/apply/application-form-links-new-window.js
index 4cca0c08c..ba701d96a 100644
--- a/hypha/static_src/src/javascript/apply/application-form-links-new-window.js
+++ b/hypha/static_src/src/javascript/apply/application-form-links-new-window.js
@@ -3,6 +3,9 @@
     'use strict';
 
     // Make links on application forms open in a new window/tab.
-    $('.application-form').find('a').attr('target', '_blank');
+    $('.application-form').find('a').attr({
+        target: '_blank',
+        rel: 'noopener noreferrer'
+    });
 
 })(jQuery);
-- 
GitLab