From 7912f0bf9e25a63ebac8f7dbf07ca32d6e90e78d Mon Sep 17 00:00:00 2001
From: gregod <github@k9z.de>
Date: Tue, 10 Sep 2019 22:44:02 +0200
Subject: [PATCH] Set rel noopener and noreferrer on external links in markdown
 (#3666)

* Set rel noopener and noreferrer on external links in markdown

* Update ha-markdown.ts

* Update ha-markdown.ts
---
 src/components/ha-markdown.ts | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/components/ha-markdown.ts b/src/components/ha-markdown.ts
index e811e31373..fdfd980dd5 100644
--- a/src/components/ha-markdown.ts
+++ b/src/components/ha-markdown.ts
@@ -49,13 +49,17 @@ class HaMarkdown extends UpdatingElement {
 
       // Open external links in a new window
       if (
-        node.nodeName === "A" &&
-        (node as HTMLAnchorElement).host !== document.location.host
+        node instanceof HTMLAnchorElement &&
+        node.host !== document.location.host
       ) {
-        (node as HTMLAnchorElement).target = "_blank";
+        node.target = "_blank";
+
+        // protect referrer on external links and deny window.opener access for security reasons
+        // (see https://mathiasbynens.github.io/rel-noopener/)
+        node.rel = "noreferrer noopener";
 
         // Fire a resize event when images loaded to notify content resized
-      } else if (node.nodeName === "IMG") {
+      } else if (node) {
         node.addEventListener("load", this._resize);
       }
     }