From 7912f0bf9e25a63ebac8f7dbf07ca32d6e90e78d Mon Sep 17 00:00:00 2001 From: gregod Date: Tue, 10 Sep 2019 22:44:02 +0200 Subject: [PATCH] Set rel noopener and noreferrer on external links in markdown (#3666) * Set rel noopener and noreferrer on external links in markdown * Update ha-markdown.ts * Update ha-markdown.ts --- src/components/ha-markdown.ts | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/components/ha-markdown.ts b/src/components/ha-markdown.ts index e811e31373..fdfd980dd5 100644 --- a/src/components/ha-markdown.ts +++ b/src/components/ha-markdown.ts @@ -49,13 +49,17 @@ class HaMarkdown extends UpdatingElement { // Open external links in a new window if ( - node.nodeName === "A" && - (node as HTMLAnchorElement).host !== document.location.host + node instanceof HTMLAnchorElement && + node.host !== document.location.host ) { - (node as HTMLAnchorElement).target = "_blank"; + node.target = "_blank"; + + // protect referrer on external links and deny window.opener access for security reasons + // (see https://mathiasbynens.github.io/rel-noopener/) + node.rel = "noreferrer noopener"; // Fire a resize event when images loaded to notify content resized - } else if (node.nodeName === "IMG") { + } else if (node) { node.addEventListener("load", this._resize); } }