Improve user privacy with secure outbound links

All outbound links now include `rel="noopener noreferrer"` attribute. This security improvement prevents the new page from being able to access the `window.opener` property and ensures it runs in a separate process. `rel="noopener"`: When a new page is opened using `target="_blank"`, the new page runs on the same process as the originating page, and has a reference to the originating page `window.opener`. By implementing `rel="noopener"`, the new page is prevented to use `window.opener` property. It's security issue because the newly opened website could potentially redirect the page to a malicious URL. Even though privacy.sexy doesn't have any sensitive information to protect, this can still be a vector for phishing attacks. `rel="noreferrer"`: It implies features of `noopener`, and also prevents `Referer` header from being sent to the new page. Referer headers may include sensitive data, because they tell the new page the URL of the page the request is coming from.
2023-08-06 02:09:11 +02:00
parent ff84f5676e
commit 3a594ac7fd
6 changed files with 98 additions and 45 deletions
--- a/tests/unit/presentation/components/Scripts/View/Tree/SelectableTree/Node/Documentation/MarkdownRenderer.spec.ts
+++ b/tests/unit/presentation/components/Scripts/View/Tree/SelectableTree/Node/Documentation/MarkdownRenderer.spec.ts
@@ -10,17 +10,53 @@ describe('MarkdownRenderer', () => {
      // assert
      expect(renderer !== undefined);
    });
-    it('opens URLs in new tab', () => {
-      // arrange
-      const renderer = createRenderer();
-      const markdown = '[undergroundwires.dev](https://undergroundwires.dev)';
-      // act
-      const htmlString = renderer.render(markdown);
-      // assert
-      const html = parseHtml(htmlString);
-      const aElement = html.getElementsByTagName('a')[0];
-      const href = aElement.getAttribute('target');
-      expect(href).to.equal('_blank');
+    describe('sets expected anchor attributes', () => {
+      const attributes: ReadonlyArray<{
+        readonly name: string,
+        readonly expectedValue: string,
+        readonly invalidMarkdown: string
+      }> = [
+        {
+          name: 'target',
+          expectedValue: '_blank',
+          invalidMarkdown: '<a href="https://undergroundwires.dev" target="_self">example</a>',
+        },
+        {
+          name: 'rel',
+          expectedValue: 'noopener noreferrer',
+          invalidMarkdown: '<a href="https://undergroundwires.dev" rel="nooverride">example</a>',
+        },
+      ];
+      for (const attribute of attributes) {
+        const { name, expectedValue, invalidMarkdown } = attribute;
+
+        it(`adds "${name}" attribute to anchor elements`, () => {
+          // arrange
+          const renderer = createRenderer();
+          const markdown = '[undergroundwires.dev](https://undergroundwires.dev)';
+
+          // act
+          const htmlString = renderer.render(markdown);
+
+          // assert
+          const html = parseHtml(htmlString);
+          const aElement = html.getElementsByTagName('a')[0];
+          expect(aElement.getAttribute(name)).to.equal(expectedValue);
+        });
+
+        it(`overrides existing "${name}" attribute`, () => {
+          // arrange
+          const renderer = createRenderer();
+
+          // act
+          const htmlString = renderer.render(invalidMarkdown);
+
+          // assert
+          const html = parseHtml(htmlString);
+          const aElement = html.getElementsByTagName('a')[0];
+          expect(aElement.getAttribute(name)).to.equal(expectedValue);
+        });
+      }
    });
    it('does not convert single linebreak to <br>', () => {
      // arrange