Issue
DOMPurify allowlist permits target and rel attributes on <a> tags, but does not force rel="noopener noreferrer" when target="_blank" is present. A supplier description containing <a href="..." target="_blank"> (no rel) creates a tabnapping vulnerability.
Fix
Add a DOMPurify post-sanitize hook in frontend/src/components/storefront/description-html.tsx:
DOMPurify.addHook("afterSanitizeAttributes", (node) => {
if (node.tagName === "A" && node.getAttribute("target") === "_blank") {
node.setAttribute("rel", "noopener noreferrer");
}
});Introduced in
PR #27 (merged)
Severity
Medium — only exploitable if a supplier description contains a _blank link without rel, which requires either a malicious/compromised supplier or corrupted ingest data.
Issue
DOMPurify allowlist permits
targetandrelattributes on<a>tags, but does not forcerel="noopener noreferrer"whentarget="_blank"is present. A supplier description containing<a href="..." target="_blank">(no rel) creates a tabnapping vulnerability.Fix
Add a DOMPurify post-sanitize hook in
frontend/src/components/storefront/description-html.tsx:Introduced in
PR #27 (merged)
Severity
Medium — only exploitable if a supplier description contains a
_blanklink without rel, which requires either a malicious/compromised supplier or corrupted ingest data.