Closed alexpelan closed 8 years ago
For now, something like this can be used as a workaround, where $("a") is scoped to whichever links you actually want to change:
$("a").attr("rel", "noopener noreferrer");
Hey, thanks for this, and thanks for the PR. Didn't even know about this potential type of attack!
This is interesting. However, it breaks links for telephones. Those will not launch skype or other handlers when noopener is set. How can we address that?
Also, if I set newWindow to false, all the URL's start to open in the same window!
I suppose I could post-process the result for now.
I don't have bandwidth to make another PR right now, but it's a pretty simple fix, just check if matchType !== "phone" before doing this: https://github.com/gregjacobs/Autolinker.js/blob/master/src/AnchorTagBuilder.js#L94
Good fix for someone new to OSS or new to the project
Since autolinker defaults to opening up links in a new window using target=_blank, many of your users are likely affected by this vulnerability: https://mathiasbynens.github.io/rel-noopener/
Consider adding an option to set rel='noopener' and rel='noreferrer', or do it by default.