Skip to content

Commit

Permalink
referer: exported HTML URL/location no longer leaks through HTTP refe…
Browse files Browse the repository at this point in the history 
…rer header in HTML5 browsers

Exported HTML can, when loaded from disk or an online server, also leak the
location. Applying the `rel="noreferrer"` HTML5 standard mitigate the problem
for compatible browsers.

http://www.w3.org/TR/html5/links.html#link-type-noreferrer
  • Loading branch information
@joelpurra @hmdne
joelpurra authored and hmdne committed Nov 23, 2019
1 parent c0d5a24 commit d7ee387
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion src/node/utils/ExportHtml.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -285,7 +285,10 @@ function getHTMLFromAtext(pad, atext, authorColors)
var url = urlData[1];
var urlLength = url.length;
processNextChars(startIndex - idx);
assem.append('<a href="' + Security.escapeHTMLAttribute(url) + '">');
// Using rel="noreferrer" stops leaking the URL/location of the exported HTML when clicking links in the document.
// Not all browsers understand this attribute, but it's part of the HTML5 standard.
// http://www.w3.org/TR/html5/links.html#link-type-noreferrer
assem.append('<a href="' + Security.escapeHTMLAttribute(url) + '" rel="noreferrer">');
processNextChars(urlLength);
assem.append('</a>');
});
Expand Down

0 comments on commit d7ee387

Please sign in to comment.