Add rel='noopener' to all links opening in a new window

pabzm · pabzm · commit a361fa79f132 · 2025-11-04T16:03:22.000+01:00
Browsers younger than ~5 years don't need this, but older browsers might cause problems.

Code style change as demanded by eslint

Remove accidentally added `id` attribute

Fix test as it was intended
diff --git a/plugins/help/help.php b/plugins/help/help.php
@@ -162,7 +162,7 @@ public function error_page($args)
             && $rcmail->request_status == rcube::REQUEST_ERROR_URL
             && ($url = $rcmail->config->get('help_csrf_info'))
         ) {
-            $args['text'] .= '<p>' . html::a(['href' => $url, 'target' => '_blank'], $this->gettext('csrfinfo')) . '</p>';
+            $args['text'] .= '<p>' . html::a(['href' => $url, 'target' => '_blank', 'rel' => 'noopener'], $this->gettext('csrfinfo')) . '</p>';
         }
 
         return $args;
diff --git a/program/actions/contacts/show.php b/program/actions/contacts/show.php
@@ -194,6 +194,7 @@ public static function render_url_value($url)
         return html::a([
                 'href' => $prefix . $url,
                 'target' => '_blank',
+                'rel' => 'noopener',
                 'class' => 'url',
             ],
             rcube::Q($url)
diff --git a/program/actions/mail/index.php b/program/actions/mail/index.php
@@ -1324,6 +1324,7 @@ public static function washtml_link_callback($tag, $attribs, $content, $washtml)
                 }
             } elseif (!empty($attrib['href']) && $attrib['href'][0] != '#') {
                 $attrib['target'] = '_blank';
+                $attrib['rel'] = 'noopener';
             }
 
             // Better security by adding rel="noreferrer" (#1484686)
diff --git a/program/actions/settings/about.php b/program/actions/settings/about.php
@@ -43,10 +43,10 @@ public function run($args = [])
             },
             'license' => static function () {
                 return 'This program is free software; you can redistribute it and/or modify it under the terms '
-                    . 'of the <a href="https://www.gnu.org/licenses/gpl.html" target="_blank">GNU General Public License</a> '
+                    . 'of the <a href="https://www.gnu.org/licenses/gpl.html" target="_blank" rel="noopener">GNU General Public License</a> '
                     . 'as published by the Free Software Foundation, either version 3 of the License, '
                     . 'or (at your option) any later version.<br/>'
-                    . 'Some <a href="https://roundcube.net/license" target="_blank">exceptions</a> '
+                    . 'Some <a href="https://roundcube.net/license" target="_blank" rel="noopener">exceptions</a> '
                     . 'for skins &amp; plugins apply.';
             },
         ]);
@@ -117,6 +117,7 @@ public static function plugins_list($attrib)
             if ($uri) {
                 $uri = html::a([
                         'target' => '_blank',
+                        'rel' => 'noopener',
                         'href' => rcube::Q($uri),
                     ],
                     rcube::Q($rcmail->gettext('download'))
@@ -128,6 +129,7 @@ public static function plugins_list($attrib)
             if (!empty($data['license_uri'])) {
                 $license = html::a([
                         'target' => '_blank',
+                        'rel' => 'noopener',
                         'href' => rcube::Q($data['license_uri']),
                     ],
                     rcube::Q($data['license'])
@@ -155,7 +157,7 @@ public static function skin_info($attrib)
             html::span('skinitem', html::span('skinname', rcube::Q($meta['name'])) . (!empty($meta['version']) ? '&nbsp;(' . $meta['version'] . ')' : '') . html::br()
                 . (!empty($meta['author_link']) ? html::span('skinauthor', $rcmail->gettext(['name' => 'skinauthor', 'vars' => ['author' => $meta['author_link']]])) . html::br() : '')
                 . (!empty($meta['license_link']) ? html::span('skinlicense', $rcmail->gettext('license') . ':&nbsp;' . $meta['license_link']) . html::br() : '')
-                . (!empty($meta['uri']) ? html::span('skinhomepage', $rcmail->gettext('source') . ':&nbsp;' . html::a(['href' => $meta['uri'], 'target' => '_blank', 'tabindex' => '-1'], rcube::Q($rcmail->gettext('download')))) : ''))
+                . (!empty($meta['uri']) ? html::span('skinhomepage', $rcmail->gettext('source') . ':&nbsp;' . html::a(['href' => $meta['uri'], 'target' => '_blank', 'rel' => 'noopener', 'tabindex' => '-1'], rcube::Q($rcmail->gettext('download')))) : ''))
         );
 
         return $content;
diff --git a/program/actions/settings/index.php b/program/actions/settings/index.php
@@ -1513,7 +1513,7 @@ public static function user_prefs($current = null)
                             'content' => html::div(
                                 ['style' => 'display:none', 'class' => 'boxwarning', 'id' => 'mailvelope-warning'],
                                 str_replace(
-                                    'Mailvelope', '<a href="https://www.mailvelope.com" target="_blank">Mailvelope</a>',
+                                    'Mailvelope', '<a href="https://www.mailvelope.com" target="_blank" rel="noopener">Mailvelope</a>',
                                     rcube::Q($rcmail->gettext('mailvelopenotfound'))
                                 )
                                 . html::script([], "if (!parent.mailvelope) \$('#mailvelope-warning').show()")
diff --git a/program/include/rcmail_install.php b/program/include/rcmail_install.php
@@ -811,7 +811,7 @@ private function _showhint($message, $url = '')
         $hint = rcube::Q($message);
 
         if ($url) {
-            $hint .= ($hint ? '; ' : '') . 'See <a href="' . rcube::Q($url) . '" target="_blank">' . rcube::Q($url) . '</a>';
+            $hint .= ($hint ? '; ' : '') . 'See <a href="' . rcube::Q($url) . '" target="_blank" rel="noopener">' . rcube::Q($url) . '</a>';
         }
 
         if ($hint) {
diff --git a/program/include/rcmail_output.php b/program/include/rcmail_output.php
@@ -73,8 +73,8 @@ public function get_skin_info($name = null)
         $meta = INSTALL_PATH . "skins/{$skin}/meta.json";
         if (is_readable($meta) && ($json = json_decode(file_get_contents($meta), true))) {
             $data = $json;
-            $data['author_link'] = !empty($json['url']) ? html::a(['href' => $json['url'], 'target' => '_blank'], rcube::Q($json['author'])) : rcube::Q($json['author']);
-            $data['license_link'] = !empty($json['license-url']) ? html::a(['href' => $json['license-url'], 'target' => '_blank', 'tabindex' => '-1'], rcube::Q($json['license'])) : rcube::Q($json['license']);
+            $data['author_link'] = !empty($json['url']) ? html::a(['href' => $json['url'], 'target' => '_blank', 'rel' => 'noopener'], rcube::Q($json['author'])) : rcube::Q($json['author']);
+            $data['license_link'] = !empty($json['license-url']) ? html::a(['href' => $json['license-url'], 'target' => '_blank', 'rel' => 'noopener', 'tabindex' => '-1'], rcube::Q($json['license'])) : rcube::Q($json['license']);
         }
 
         $composer = INSTALL_PATH . "/skins/{$skin}/composer.json";
diff --git a/program/js/app.js b/program/js/app.js
@@ -4425,7 +4425,13 @@ function rcube_webmail() {
 
             li.append($('<label>').addClass('keyid').text(ref.get_label('keyid')));
             li.append($('<a>').text(keyrec.keyid.substr(-8).toUpperCase())
-                .attr({ href: keyrec.info, target: '_blank', tabindex: '-1' }));
+                .attr({
+                    href: keyrec.info,
+                    target: '_blank',
+                    rel: 'noopener',
+                    tabindex: '-1',
+                })
+            );
 
             li.append($('<label>').addClass('keylen').text(ref.get_label('keylength')));
             li.append($('<span>').text(keyrec.keylen));
diff --git a/program/js/editor.js b/program/js/editor.js
@@ -195,7 +195,7 @@ function rcube_text_editor(config, id) {
         ed.on('click', function (e) {
             var link = $(e.target).closest('a');
             if (link.length && e.shiftKey) {
-                window.open(link.get(0).href, '_blank');
+                window.open(link.get(0).href, '_blank', 'noopener=true');
                 return false;
             }
         });
diff --git a/program/lib/Roundcube/rcube_text2html.php b/program/lib/Roundcube/rcube_text2html.php
@@ -139,7 +139,7 @@ protected function convert()
     protected function converter($text)
     {
         // make links and email-addresses clickable
-        $attribs = ['link_attribs' => ['rel' => 'noreferrer', 'target' => '_blank']];
+        $attribs = ['link_attribs' => ['rel' => 'noreferrer noopener', 'target' => '_blank']];
         $replacer = new $this->config['replacer']($attribs);
 
         if ($this->config['flowed']) {
diff --git a/skins/elastic/templates/includes/footer.html b/skins/elastic/templates/includes/footer.html
@@ -1,7 +1,7 @@
 <roundcube:if condition="!env:framed || env:extwin" />
 </div>
 <roundcube:if condition="config:support_url" />
-<a href="<roundcube:var name='config:support_url' />" target="_blank" id="supportlink" class="hidden"><roundcube:label name="support" /></a>
+<a href="<roundcube:var name='config:support_url' />" target="_blank" rel="noopener" id="supportlink" class="hidden"><roundcube:label name="support" /></a>
 <roundcube:endif />
 <roundcube:endif />
 
diff --git a/skins/elastic/templates/login.html b/skins/elastic/templates/login.html
@@ -10,7 +10,7 @@ <h1 class="voice"><roundcube:object name="productname" /> <roundcube:label name=
 			<roundcube:object name="productname" condition="config:display_product_info &gt; 0" />
 			<roundcube:object name="version" condition="config:display_product_info == 2" />
 			<roundcube:if condition="config:support_url" />
-				&nbsp;&bull;&nbsp; <a href="<roundcube:var name='config:support_url' />" target="_blank" class="support-link"><roundcube:label name="support" /></a>
+				&nbsp;&bull;&nbsp; <a href="<roundcube:var name='config:support_url' />" target="_blank" rel="noopener" class="support-link"><roundcube:label name="support" /></a>
 			<roundcube:endif />
 			<roundcube:container name="loginfooter" id="login-footer" />
 		</div>
diff --git a/tests/Actions/Contacts/ShowTest.php b/tests/Actions/Contacts/ShowTest.php
@@ -87,7 +87,7 @@ public function test_render_phone_value()
     public function test_render_url_value()
     {
         $input = 'http://test/<123';
-        $expected = '<a href="http://test/&lt;123" target="_blank" class="url">http://test/&lt;123</a>';
+        $expected = '<a href="http://test/&lt;123" target="_blank" rel="noopener" class="url">http://test/&lt;123</a>';
         $this->assertSame($expected, \rcmail_action_contacts_show::render_url_value($input));
     }
 
diff --git a/tests/Actions/Mail/IndexTest.php b/tests/Actions/Mail/IndexTest.php
@@ -535,12 +535,12 @@ public function test_plaintext()
             'Mailto links with onclick'
         );
         $this->assertMatchesRegularExpression(
-            '#<a rel="noreferrer" target="_blank" href="http://www.apple.com/legal/privacy">http://www.apple.com/legal/privacy</a>#',
+            '#<a rel="noreferrer noopener" target="_blank" href="http://www.apple.com/legal/privacy">http://www.apple.com/legal/privacy</a>#',
             $html,
             'Links with target=_blank'
         );
         $this->assertMatchesRegularExpression(
-            '#\[<a rel="noreferrer" target="_blank" href="http://example.com/\?tx\[a\]=5">http://example.com/\?tx\[a\]=5</a>\]#',
+            '#\[<a rel="noreferrer noopener" target="_blank" href="http://example.com/\?tx\[a\]=5">http://example.com/\?tx\[a\]=5</a>\]#',
             $html,
             'Links with square brackets'
         );
diff --git a/tests/Framework/Text2HtmlTest.php b/tests/Framework/Text2HtmlTest.php
@@ -153,7 +153,7 @@ public function test_text2html_xss2()
         $html = $t2h->get_html();
 
         $expected = "<div class=\"pre\"><br>\n[&lt;script&gt;evil&lt;/script&gt;] "
-            . "<a rel=\"noreferrer\" target=\"_blank\" href=\"https://google.com\">https://google.com</a><br>\n"
+            . "<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https://google.com\">https://google.com</a><br>\n"
             . '</div>';
 
         $this->assertSame($expected, $html);
@@ -175,7 +175,7 @@ public function test_text2html_8021()
 
         $t2h = new \rcube_text2html($input);
         $html = $t2h->get_html();
-        $html = preg_replace('/ (rel|target)="(noreferrer|_blank)"/', '', $html);
+        $html = preg_replace('/ (rel|target)="(noreferrer noopener|_blank)"/', '', $html);
 
         $this->assertSame($expected, $html);
     }

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ public function error_page($args)`
`162`	`162`	`&& $rcmail->request_status == rcube::REQUEST_ERROR_URL`
`163`	`163`	`&& ($url = $rcmail->config->get('help_csrf_info'))`
`164`	`164`	`) {`
`165`		`- $args['text'] .= '<p>' . html::a(['href' => $url, 'target' => '_blank'], $this->gettext('csrfinfo')) . '</p>';`
	`165`	`+ $args['text'] .= '<p>' . html::a(['href' => $url, 'target' => '_blank', 'rel' => 'noopener'], $this->gettext('csrfinfo')) . '</p>';`
`166`	`166`	`}`
`167`	`167`
`168`	`168`	`return $args;`
Original file line number	Diff line number	Diff line change
`@@ -1324,6 +1324,7 @@ public static function washtml_link_callback($tag, $attribs, $content, $washtml)`
`1324`	`1324`	`}`
`1325`	`1325`	`} elseif (!empty($attrib['href']) && $attrib['href'][0] != '#') {`
`1326`	`1326`	`$attrib['target'] = '_blank';`
	`1327`	`+ $attrib['rel'] = 'noopener';`
`1327`	`1328`	`}`
`1328`	`1329`
`1329`	`1330`	`// Better security by adding rel="noreferrer" (#1484686)`
Original file line number	Diff line number	Diff line change
`@@ -1513,7 +1513,7 @@ public static function user_prefs($current = null)`
`1513`	`1513`	`'content' => html::div(`
`1514`	`1514`	`['style' => 'display:none', 'class' => 'boxwarning', 'id' => 'mailvelope-warning'],`
`1515`	`1515`	`str_replace(`
`1516`		`- 'Mailvelope', '<a href="https://www.mailvelope.com" target="_blank">Mailvelope</a>',`
	`1516`	`+ 'Mailvelope', '<a href="https://www.mailvelope.com" target="_blank" rel="noopener">Mailvelope</a>',`
`1517`	`1517`	`rcube::Q($rcmail->gettext('mailvelopenotfound'))`
`1518`	`1518`	`)`
`1519`	`1519`	`. html::script([], "if (!parent.mailvelope) \$('#mailvelope-warning').show()")`
Original file line number	Diff line number	Diff line change
`@@ -811,7 +811,7 @@ private function _showhint($message, $url = '')`
`811`	`811`	`$hint = rcube::Q($message);`
`812`	`812`
`813`	`813`	`if ($url) {`
`814`		`- $hint .= ($hint ? '; ' : '') . 'See <a href="' . rcube::Q($url) . '" target="_blank">' . rcube::Q($url) . '</a>';`
	`814`	`+ $hint .= ($hint ? '; ' : '') . 'See <a href="' . rcube::Q($url) . '" target="_blank" rel="noopener">' . rcube::Q($url) . '</a>';`
`815`	`815`	`}`
`816`	`816`
`817`	`817`	`if ($hint) {`
Original file line number	Diff line number	Diff line change
`@@ -195,7 +195,7 @@ function rcube_text_editor(config, id) {`
`195`	`195`	`ed.on('click', function (e) {`
`196`	`196`	`var link = $(e.target).closest('a');`
`197`	`197`	`if (link.length && e.shiftKey) {`
`198`		`- window.open(link.get(0).href, '_blank');`
	`198`	`+ window.open(link.get(0).href, '_blank', 'noopener=true');`
`199`	`199`	`return false;`
`200`	`200`	`}`
`201`	`201`	`});`
Original file line number	Diff line number	Diff line change
`@@ -139,7 +139,7 @@ protected function convert()`
`139`	`139`	`protected function converter($text)`
`140`	`140`	`{`
`141`	`141`	`// make links and email-addresses clickable`
`142`		`- $attribs = ['link_attribs' => ['rel' => 'noreferrer', 'target' => '_blank']];`
	`142`	`+ $attribs = ['link_attribs' => ['rel' => 'noreferrer noopener', 'target' => '_blank']];`
`143`	`143`	`$replacer = new $this->config['replacer']($attribs);`
`144`	`144`
`145`	`145`	`if ($this->config['flowed']) {`