fix: Prevent tabnabbing in markdown

plankanban · Aug 30, 2022 · 3379c65 · 3379c65
1 parent 1a6fc40
commit 3379c65
Showing 1 changed file with 17 additions and 10 deletions.
diff --git a/client/src/lib/custom-ui/components/Markdown/Markdown.jsx b/client/src/lib/custom-ui/components/Markdown/Markdown.jsx
@@ -6,6 +6,8 @@ import remarkBreaks from 'remark-breaks';
 
 import './Markdown.module.scss'; // FIXME: import as styles?
 
+const ABSOLUTE_URL_REGEX = /^(?:https?:)?\/\//i;
+
 const Markdown = React.memo(({ linkStopPropagation, ...props }) => {
   const handleLinkClick = useCallback((event) => {
     event.stopPropagation();
@@ -16,25 +18,30 @@ const Markdown = React.memo(({ linkStopPropagation, ...props }) => {
                       jsx-a11y/click-events-have-key-events,
                       jsx-a11y/no-static-element-interactions,
                       react/jsx-props-no-spreading */
-    ({ node, ...linkProps }) => <a {...linkProps} onClick={handleLinkClick} />,
+    ({ node, ...linkProps }) => (
+      <a
+        {...linkProps}
+        rel={
+          ABSOLUTE_URL_REGEX.test(linkProps.href) && linkProps.target === '_blank'
+            ? 'noreferrer'
+            : undefined
+        }
+        onClick={linkStopPropagation ? handleLinkClick : undefined}
+      />
+    ),
     /* eslint-enable jsx-a11y/anchor-has-content,
                      jsx-a11y/click-events-have-key-events,
                      jsx-a11y/no-static-element-interactions,
                      react/jsx-props-no-spreading */
-    [handleLinkClick],
+    [linkStopPropagation, handleLinkClick],
   );
 
-  let components;
-  if (linkStopPropagation) {
-    components = {
-      a: linkRenderer,
-    };
-  }
-
   return (
     <ReactMarkdown
       {...props} // eslint-disable-line react/jsx-props-no-spreading
-      components={components}
+      components={{
+        a: linkRenderer,
+      }}
       remarkPlugins={[remarkGfm, remarkBreaks]}
       className="markdown-body"
     />