From 5e0d3a2b1c80e16926cc246486cf392478696087 Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Thu, 9 Oct 2025 17:29:23 +0200
Subject: [PATCH] Add rel='noopener' to all links opening in a new window

Browsers younger than ~5 years don't need this, but older browsers might cause problems.

Code style change as demanded by eslint

Remove accidentally added `id` attribute

Fix test as it was intended
---
 plugins/help/help.php                        | 2 +-
 program/actions/contacts/show.php            | 1 +
 program/actions/mail/index.php               | 1 +
 program/actions/settings/about.php           | 8 +++++---
 program/actions/settings/index.php           | 2 +-
 program/include/rcmail_install.php           | 2 +-
 program/include/rcmail_output.php            | 4 ++--
 program/js/app.js                            | 8 +++++++-
 program/js/editor.js                         | 2 +-
 program/lib/Roundcube/rcube_text2html.php    | 2 +-
 skins/elastic/templates/includes/footer.html | 2 +-
 skins/elastic/templates/login.html           | 2 +-
 tests/Actions/Contacts/ShowTest.php          | 2 +-
 tests/Actions/Mail/IndexTest.php             | 4 ++--
 tests/Framework/Text2HtmlTest.php            | 4 ++--
 15 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/plugins/help/help.php b/plugins/help/help.php
index 8a4816007c..c3b3b67741 100644
--- a/plugins/help/help.php
+++ b/plugins/help/help.php
@@ -162,7 +162,7 @@ public function error_page($args)
             && $rcmail->request_status == rcube::REQUEST_ERROR_URL
             && ($url = $rcmail->config->get('help_csrf_info'))
         ) {
-            $args['text'] .= '<p>' . html::a(['href' => $url, 'target' => '_blank'], $this->gettext('csrfinfo')) . '</p>';
+            $args['text'] .= '<p>' . html::a(['href' => $url, 'target' => '_blank', 'rel' => 'noopener'], $this->gettext('csrfinfo')) . '</p>';
         }
 
         return $args;
diff --git a/program/actions/contacts/show.php b/program/actions/contacts/show.php
index 98a4790acb..c4a0633a75 100644
--- a/program/actions/contacts/show.php
+++ b/program/actions/contacts/show.php
@@ -194,6 +194,7 @@ public static function render_url_value($url)
         return html::a([
                 'href' => $prefix . $url,
                 'target' => '_blank',
+                'rel' => 'noopener',
                 'class' => 'url',
             ],
             rcube::Q($url)
diff --git a/program/actions/mail/index.php b/program/actions/mail/index.php
index 30ddffc43b..7d7c57116f 100644
--- a/program/actions/mail/index.php
+++ b/program/actions/mail/index.php
@@ -1324,6 +1324,7 @@ public static function washtml_link_callback($tag, $attribs, $content, $washtml)
                 }
             } elseif (!empty($attrib['href']) && $attrib['href'][0] != '#') {
                 $attrib['target'] = '_blank';
+                $attrib['rel'] = 'noopener';
             }
 
             // Better security by adding rel="noreferrer" (#1484686)
diff --git a/program/actions/settings/about.php b/program/actions/settings/about.php
index e1fcd34873..900edef54a 100644
--- a/program/actions/settings/about.php
+++ b/program/actions/settings/about.php
@@ -43,10 +43,10 @@ public function run($args = [])
             },
             'license' => static function () {
                 return 'This program is free software; you can redistribute it and/or modify it under the terms '
-                    . 'of the <a href="https://www.gnu.org/licenses/gpl.html" target="_blank">GNU General Public License</a> '
+                    . 'of the <a href="https://www.gnu.org/licenses/gpl.html" target="_blank" rel="noopener">GNU General Public License</a> '
                     . 'as published by the Free Software Foundation, either version 3 of the License, '
                     . 'or (at your option) any later version.<br/>'
-                    . 'Some <a href="https://roundcube.net/license" target="_blank">exceptions</a> '
+                    . 'Some <a href="https://roundcube.net/license" target="_blank" rel="noopener">exceptions</a> '
                     . 'for skins &amp; plugins apply.';
             },
         ]);
@@ -117,6 +117,7 @@ public static function plugins_list($attrib)
             if ($uri) {
                 $uri = html::a([
                         'target' => '_blank',
+                        'rel' => 'noopener',
                         'href' => rcube::Q($uri),
                     ],
                     rcube::Q($rcmail->gettext('download'))
@@ -128,6 +129,7 @@ public static function plugins_list($attrib)
             if (!empty($data['license_uri'])) {
                 $license = html::a([
                         'target' => '_blank',
+                        'rel' => 'noopener',
                         'href' => rcube::Q($data['license_uri']),
                     ],
                     rcube::Q($data['license'])
@@ -155,7 +157,7 @@ public static function skin_info($attrib)
             html::span('skinitem', html::span('skinname', rcube::Q($meta['name'])) . (!empty($meta['version']) ? '&nbsp;(' . $meta['version'] . ')' : '') . html::br()
                 . (!empty($meta['author_link']) ? html::span('skinauthor', $rcmail->gettext(['name' => 'skinauthor', 'vars' => ['author' => $meta['author_link']]])) . html::br() : '')
                 . (!empty($meta['license_link']) ? html::span('skinlicense', $rcmail->gettext('license') . ':&nbsp;' . $meta['license_link']) . html::br() : '')
-                . (!empty($meta['uri']) ? html::span('skinhomepage', $rcmail->gettext('source') . ':&nbsp;' . html::a(['href' => $meta['uri'], 'target' => '_blank', 'tabindex' => '-1'], rcube::Q($rcmail->gettext('download')))) : ''))
+                . (!empty($meta['uri']) ? html::span('skinhomepage', $rcmail->gettext('source') . ':&nbsp;' . html::a(['href' => $meta['uri'], 'target' => '_blank', 'rel' => 'noopener', 'tabindex' => '-1'], rcube::Q($rcmail->gettext('download')))) : ''))
         );
 
         return $content;
diff --git a/program/actions/settings/index.php b/program/actions/settings/index.php
index fcb0df97fb..e9a9fb19c5 100644
--- a/program/actions/settings/index.php
+++ b/program/actions/settings/index.php
@@ -1513,7 +1513,7 @@ public static function user_prefs($current = null)
                             'content' => html::div(
                                 ['style' => 'display:none', 'class' => 'boxwarning', 'id' => 'mailvelope-warning'],
                                 str_replace(
-                                    'Mailvelope', '<a href="https://www.mailvelope.com" target="_blank">Mailvelope</a>',
+                                    'Mailvelope', '<a href="https://www.mailvelope.com" target="_blank" rel="noopener">Mailvelope</a>',
                                     rcube::Q($rcmail->gettext('mailvelopenotfound'))
                                 )
                                 . html::script([], "if (!parent.mailvelope) \$('#mailvelope-warning').show()")
diff --git a/program/include/rcmail_install.php b/program/include/rcmail_install.php
index 9f8936d559..14c41852e9 100644
--- a/program/include/rcmail_install.php
+++ b/program/include/rcmail_install.php
@@ -811,7 +811,7 @@ private function _showhint($message, $url = '')
         $hint = rcube::Q($message);
 
         if ($url) {
-            $hint .= ($hint ? '; ' : '') . 'See <a href="' . rcube::Q($url) . '" target="_blank">' . rcube::Q($url) . '</a>';
+            $hint .= ($hint ? '; ' : '') . 'See <a href="' . rcube::Q($url) . '" target="_blank" rel="noopener">' . rcube::Q($url) . '</a>';
         }
 
         if ($hint) {
diff --git a/program/include/rcmail_output.php b/program/include/rcmail_output.php
index 332c69793a..2a3cc82bd7 100644
--- a/program/include/rcmail_output.php
+++ b/program/include/rcmail_output.php
@@ -73,8 +73,8 @@ public function get_skin_info($name = null)
         $meta = INSTALL_PATH . "skins/{$skin}/meta.json";
         if (is_readable($meta) && ($json = json_decode(file_get_contents($meta), true))) {
             $data = $json;
-            $data['author_link'] = !empty($json['url']) ? html::a(['href' => $json['url'], 'target' => '_blank'], rcube::Q($json['author'])) : rcube::Q($json['author']);
-            $data['license_link'] = !empty($json['license-url']) ? html::a(['href' => $json['license-url'], 'target' => '_blank', 'tabindex' => '-1'], rcube::Q($json['license'])) : rcube::Q($json['license']);
+            $data['author_link'] = !empty($json['url']) ? html::a(['href' => $json['url'], 'target' => '_blank', 'rel' => 'noopener'], rcube::Q($json['author'])) : rcube::Q($json['author']);
+            $data['license_link'] = !empty($json['license-url']) ? html::a(['href' => $json['license-url'], 'target' => '_blank', 'rel' => 'noopener', 'tabindex' => '-1'], rcube::Q($json['license'])) : rcube::Q($json['license']);
         }
 
         $composer = INSTALL_PATH . "/skins/{$skin}/composer.json";
diff --git a/program/js/app.js b/program/js/app.js
index 018335249f..ace7f9f5eb 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -4425,7 +4425,13 @@ function rcube_webmail() {
 
             li.append($('<label>').addClass('keyid').text(ref.get_label('keyid')));
             li.append($('<a>').text(keyrec.keyid.substr(-8).toUpperCase())
-                .attr({ href: keyrec.info, target: '_blank', tabindex: '-1' }));
+                .attr({
+                    href: keyrec.info,
+                    target: '_blank',
+                    rel: 'noopener',
+                    tabindex: '-1',
+                })
+            );
 
             li.append($('<label>').addClass('keylen').text(ref.get_label('keylength')));
             li.append($('<span>').text(keyrec.keylen));
diff --git a/program/js/editor.js b/program/js/editor.js
index 8d92888718..8f7df1b6fe 100644
--- a/program/js/editor.js
+++ b/program/js/editor.js
@@ -195,7 +195,7 @@ function rcube_text_editor(config, id) {
         ed.on('click', function (e) {
             var link = $(e.target).closest('a');
             if (link.length && e.shiftKey) {
-                window.open(link.get(0).href, '_blank');
+                window.open(link.get(0).href, '_blank', 'noopener=true');
                 return false;
             }
         });
diff --git a/program/lib/Roundcube/rcube_text2html.php b/program/lib/Roundcube/rcube_text2html.php
index c8e54bcaa8..4d8ee6068b 100644
--- a/program/lib/Roundcube/rcube_text2html.php
+++ b/program/lib/Roundcube/rcube_text2html.php
@@ -139,7 +139,7 @@ protected function convert()
     protected function converter($text)
     {
         // make links and email-addresses clickable
-        $attribs = ['link_attribs' => ['rel' => 'noreferrer', 'target' => '_blank']];
+        $attribs = ['link_attribs' => ['rel' => 'noreferrer noopener', 'target' => '_blank']];
         $replacer = new $this->config['replacer']($attribs);
 
         if ($this->config['flowed']) {
diff --git a/skins/elastic/templates/includes/footer.html b/skins/elastic/templates/includes/footer.html
index ec64cbcae8..817ea8db1f 100644
--- a/skins/elastic/templates/includes/footer.html
+++ b/skins/elastic/templates/includes/footer.html
@@ -1,7 +1,7 @@
 <roundcube:if condition="!env:framed || env:extwin" />
 </div>
 <roundcube:if condition="config:support_url" />
-<a href="<roundcube:var name='config:support_url' />" target="_blank" id="supportlink" class="hidden"><roundcube:label name="support" /></a>
+<a href="<roundcube:var name='config:support_url' />" target="_blank" rel="noopener" id="supportlink" class="hidden"><roundcube:label name="support" /></a>
 <roundcube:endif />
 <roundcube:endif />
 
diff --git a/skins/elastic/templates/login.html b/skins/elastic/templates/login.html
index 0279481da1..68f1261dc5 100644
--- a/skins/elastic/templates/login.html
+++ b/skins/elastic/templates/login.html
@@ -10,7 +10,7 @@ <h1 class="voice"><roundcube:object name="productname" /> <roundcube:label name=
 			<roundcube:object name="productname" condition="config:display_product_info &gt; 0" />
 			<roundcube:object name="version" condition="config:display_product_info == 2" />
 			<roundcube:if condition="config:support_url" />
-				&nbsp;&bull;&nbsp; <a href="<roundcube:var name='config:support_url' />" target="_blank" class="support-link"><roundcube:label name="support" /></a>
+				&nbsp;&bull;&nbsp; <a href="<roundcube:var name='config:support_url' />" target="_blank" rel="noopener" class="support-link"><roundcube:label name="support" /></a>
 			<roundcube:endif />
 			<roundcube:container name="loginfooter" id="login-footer" />
 		</div>
diff --git a/tests/Actions/Contacts/ShowTest.php b/tests/Actions/Contacts/ShowTest.php
index dc5dc1ac35..1696451ff5 100644
--- a/tests/Actions/Contacts/ShowTest.php
+++ b/tests/Actions/Contacts/ShowTest.php
@@ -87,7 +87,7 @@ public function test_render_phone_value()
     public function test_render_url_value()
     {
         $input = 'http://test/<123';
-        $expected = '<a href="http://test/&lt;123" target="_blank" class="url">http://test/&lt;123</a>';
+        $expected = '<a href="http://test/&lt;123" target="_blank" rel="noopener" class="url">http://test/&lt;123</a>';
         $this->assertSame($expected, \rcmail_action_contacts_show::render_url_value($input));
     }
 
diff --git a/tests/Actions/Mail/IndexTest.php b/tests/Actions/Mail/IndexTest.php
index 62ca992c98..6cf0244b08 100644
--- a/tests/Actions/Mail/IndexTest.php
+++ b/tests/Actions/Mail/IndexTest.php
@@ -535,12 +535,12 @@ public function test_plaintext()
             'Mailto links with onclick'
         );
         $this->assertMatchesRegularExpression(
-            '#<a rel="noreferrer" target="_blank" href="http://www.apple.com/legal/privacy">http://www.apple.com/legal/privacy</a>#',
+            '#<a rel="noreferrer noopener" target="_blank" href="http://www.apple.com/legal/privacy">http://www.apple.com/legal/privacy</a>#',
             $html,
             'Links with target=_blank'
         );
         $this->assertMatchesRegularExpression(
-            '#\[<a rel="noreferrer" target="_blank" href="http://example.com/\?tx\[a\]=5">http://example.com/\?tx\[a\]=5</a>\]#',
+            '#\[<a rel="noreferrer noopener" target="_blank" href="http://example.com/\?tx\[a\]=5">http://example.com/\?tx\[a\]=5</a>\]#',
             $html,
             'Links with square brackets'
         );
diff --git a/tests/Framework/Text2HtmlTest.php b/tests/Framework/Text2HtmlTest.php
index 3b250d658a..935fe1ae46 100644
--- a/tests/Framework/Text2HtmlTest.php
+++ b/tests/Framework/Text2HtmlTest.php
@@ -153,7 +153,7 @@ public function test_text2html_xss2()
         $html = $t2h->get_html();
 
         $expected = "<div class=\"pre\"><br>\n[&lt;script&gt;evil&lt;/script&gt;] "
-            . "<a rel=\"noreferrer\" target=\"_blank\" href=\"https://google.com\">https://google.com</a><br>\n"
+            . "<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https://google.com\">https://google.com</a><br>\n"
             . '</div>';
 
         $this->assertSame($expected, $html);
@@ -175,7 +175,7 @@ public function test_text2html_8021()
 
         $t2h = new \rcube_text2html($input);
         $html = $t2h->get_html();
-        $html = preg_replace('/ (rel|target)="(noreferrer|_blank)"/', '', $html);
+        $html = preg_replace('/ (rel|target)="(noreferrer noopener|_blank)"/', '', $html);
 
         $this->assertSame($expected, $html);
     }