Add noopener noreferrer to external-link macro

Apparently, _blank links are the most underestimated vulnerability ever. Source: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/ I'm not convinced, but, as @tombye pointed out, we don't lose anything. Adding them where external links have a target="_blank" *** Also worth mentioning that even though I've removed all of the external-link styles from the toolkit, our frontend apps (at this point, supplier and admin) are using the external-link template and so rely on its markup. Probably worth removing the surrounding div eventually (maybe removing the pattern altogether) but not now.
Crown-Commercial-Service · Feb 8, 2017 · 8bab030 · 8bab030
1 parent e5bfbc7
commit 8bab030
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/toolkit/templates/external-link.html b/toolkit/templates/external-link.html
@@ -1,3 +1,7 @@
 <div class="external-link-default">
-  <a href="{{ link }}" rel="external" {% if target %}target="{{ target }}"{% endif %}>{{ text }}</a>
+  <a
+    href="{{ link }}"
+    rel="external{% if target=='_blank' %} noopener noreferrer{% endif %}"
+    {% if target %}target="{{ target }}"{% endif %}
+  >{{ text }}</a>
 </div>