Protect against reverse tabnabbing (#19)

* Protect against reverse tabnabbing

https://owasp.org/www-community/attacks/Reverse_Tabnabbing

* Use faster regular expression method

lib/text_helpers/translation.rb

@@ -12,7 +12,7 @@ def link(link, title, content)
       attributes = [
         ("href=\"#{link}\"" if link),
         ("title=\"#{title}\"" if title),
-        ("target=\"_blank\"" if link =~ PROTOCOL_MATCHER),
+        ("target=\"_blank\" rel=\"noopener\"" if link.match?(PROTOCOL_MATCHER)),
       ]
 
       "<a #{attributes.compact.join(" ")}>#{content}</a>"
@@ -44,7 +44,7 @@ def text(key, options = {})
       interpolation_options = { cascade: true }.merge(options)
 
       # Interpolate any keypaths (e.g., `!some.lookup.path/key!`) found in the text.
-      while text =~ KEYPATH_MATCHER do
+      while text.match?(KEYPATH_MATCHER) do
         text = text.gsub(KEYPATH_MATCHER) { |match| I18n.t($1, **interpolation_options) }
       end
 

test/lib/text_helpers/translation_test.rb

@@ -119,12 +119,12 @@
         assert_equal "<em>#{@scoped_text}</em>\n", @helper.html(:test_key, inline: true, orphans: true)
       end
 
-      it "renders internal links without a target" do
+      it "renders internal links without a target or rel" do
         assert_equal "<a href=\"/internal/path\">Internal&nbsp;link</a>\n", @helper.html(:internal_link, inline: true)
       end
 
-      it "renders external links with target='_blank'" do
-        assert_equal "<a href=\"http://external.com\" target=\"_blank\">External&nbsp;link</a>\n", @helper.html(:external_link, inline: true)
+      it "renders external links with target='_blank' and rel='noopener'" do
+        assert_equal "<a href=\"http://external.com\" target=\"_blank\" rel=\"noopener\">External&nbsp;link</a>\n", @helper.html(:external_link, inline: true)
       end
 
       it "interpolates values wrapped in !!" do