Improve user privacy with secure outbound links

All outbound links now include `rel="noopener noreferrer"` attribute.
This security improvement prevents the new page from being able to
access the `window.opener` property and ensures it runs in a separate
process.

`rel="noopener"`:

   When a new page is opened using `target="_blank"`, the new page runs
   on the same process as the originating page, and has a reference to
   the originating page `window.opener`. By implementing
   `rel="noopener"`, the new page is prevented to use `window.opener`
   property.
   It's security issue because the newly opened website could
   potentially redirect the page to a malicious URL. Even though
   privacy.sexy doesn't have any sensitive information to protect, this
   can still be a vector for phishing attacks.

`rel="noreferrer"`:

  It implies features of `noopener`, and also prevents `Referer` header
  from being sent to the new page. Referer headers may include
  sensitive data, because they tell the new page the URL of the page
  the request is coming from.

src/presentation/components/Scripts/View/ScriptsTree/SelectableTree/Node/Documentation/MarkdownRenderer.ts

@@ -124,33 +124,50 @@ function isGoodPathPart(part: string): boolean {
     && !/^[0-9a-f]{40}$/.test(part); // Git SHA (e.g. GitHub links)
 }
 
+const ExternalAnchorElementAttributes: Record<string, string> = {
+  target: '_blank',
+  rel: 'noopener noreferrer',
+};
+
 function openUrlsInNewTab(md: MarkdownIt) {
   // https://github.com/markdown-it/markdown-it/blob/12.2.0/docs/architecture.md#renderer
-  const defaultRender = getDefaultRenderer(md, 'link_open');
+  const defaultRender = getOrDefaultRenderer(md, 'link_open');
   md.renderer.rules.link_open = (tokens, idx, options, env, self) => {
     const token = tokens[idx];
-    if (!getTokenAttributeValue(token, 'target')) {
-      token.attrPush(['target', '_blank']);
-    }
+
+    Object.entries(ExternalAnchorElementAttributes).forEach(([name, value]) => {
+      const currentValue = getAttribute(token, name);
+      if (!currentValue) {
+        token.attrPush([name, value]);
+      } else if (currentValue !== value) {
+        setAttribute(token, name, value);
+      }
+    });
     return defaultRender(tokens, idx, options, env, self);
   };
 }
 
-function getDefaultRenderer(md: MarkdownIt, ruleName: string): Renderer.RenderRule {
+function getOrDefaultRenderer(md: MarkdownIt, ruleName: string): Renderer.RenderRule {
   const renderer = md.renderer.rules[ruleName];
-  if (renderer) {
-    return renderer;
-  }
-  return (tokens, idx, options, _env, self) => {
+  return renderer || defaultRenderer;
+  function defaultRenderer(tokens, idx, options, _env, self) {
     return self.renderToken(tokens, idx, options);
-  };
+  }
 }
 
-function getTokenAttributeValue(token: Token, attributeName: string): string | undefined {
-  const attributeIndex = token.attrIndex(attributeName);
+function getAttribute(token: Token, name: string): string | undefined {
+  const attributeIndex = token.attrIndex(name);
   if (attributeIndex < 0) {
     return undefined;
   }
   const value = token.attrs[attributeIndex][1];
   return value;
 }
+
+function setAttribute(token: Token, name: string, value: string): void {
+  const attributeIndex = token.attrIndex(name);
+  if (attributeIndex < 0) {
+    throw new Error('Attribute does not exist');
+  }
+  token.attrs[attributeIndex][1] = value;
+}

src/presentation/components/Scripts/View/TheScriptsView.vue

@@ -20,7 +20,7 @@
           <div>Sorry, no matches for "{{this.searchQuery | threeDotsTrim }}" 😞</div>
           <div>
             Feel free to extend the scripts
-            <a :href="repositoryUrl" target="_blank" class="child github">here</a> ✨
+            <a :href="repositoryUrl" class="child github" target="_blank" rel="noopener noreferrer">here</a> ✨
           </div>
         </div>
       </div>