alexpelan
commented
8 years ago For now, something like this can be used as a workaround, where $("a") is scoped to whichever links you actually want to change:
$("a").attr("rel", "noopener noreferrer");Closed alexpelan closed 8 years ago
alexpelan
commented
8 years ago For now, something like this can be used as a workaround, where $("a") is scoped to whichever links you actually want to change:
$("a").attr("rel", "noopener noreferrer");
gregjacobs
commented
8 years ago Hey, thanks for this, and thanks for the PR. Didn't even know about this potential type of attack!
theoutlander
commented
8 years ago This is interesting. However, it breaks links for telephones. Those will not launch skype or other handlers when noopener is set. How can we address that?
Also, if I set newWindow to false, all the URL's start to open in the same window!
I suppose I could post-process the result for now.
alexpelan
commented
8 years ago I don't have bandwidth to make another PR right now, but it's a pretty simple fix, just check if matchType !== "phone" before doing this: https://github.com/gregjacobs/Autolinker.js/blob/master/src/AnchorTagBuilder.js#L94
Good fix for someone new to OSS or new to the project
Since autolinker defaults to opening up links in a new window using target=_blank, many of your users are likely affected by this vulnerability: https://mathiasbynens.github.io/rel-noopener/
Consider adding an option to set rel='noopener' and rel='noreferrer', or do it by default.