referer: exported html pads no longer leak URL/location through refer…

…er header Exported HTML can, when loaded from disk or an online server, also leak the location. Applying the `rel="noreferrer"` HTML5 standard mitigate the problem for compatible browsers. https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer This commit was originally part of #2498
ether · Nov 24, 2019 · 2a44c83 · 2a44c83
1 parent f314460
commit 2a44c83
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/src/node/utils/ExportHtml.js b/src/node/utils/ExportHtml.js
@@ -285,7 +285,10 @@ function getHTMLFromAtext(pad, atext, authorColors)
         var url = urlData[1];
         var urlLength = url.length;
         processNextChars(startIndex - idx);
-        assem.append('<a href="' + Security.escapeHTMLAttribute(url) + '">');
+        // Using rel="noreferrer" stops leaking the URL/location of the exported HTML when clicking links in the document.
+        // Not all browsers understand this attribute, but it's part of the HTML5 standard.
+        // http://www.w3.org/TR/html5/links.html#link-type-noreferrer
+        assem.append('<a href="' + Security.escapeHTMLAttribute(url) + '" rel="noreferrer">');
         processNextChars(urlLength);
         assem.append('</a>');
       });