From 184b60ded0e43c985788582aca2d1e746f9405a3 Mon Sep 17 00:00:00 2001
From: n00dle <rich@tablexi.com>
Date: Wed, 9 Dec 2020 08:52:01 -0500
Subject: [PATCH] Protect against reverse tabnabbing (#19)

* Protect against reverse tabnabbing

https://owasp.org/www-community/attacks/Reverse_Tabnabbing

* Use faster regular expression method
---
 lib/text_helpers/translation.rb           | 4 ++--
 test/lib/text_helpers/translation_test.rb | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/text_helpers/translation.rb b/lib/text_helpers/translation.rb
index bf80f06..6c9d314 100644
--- a/lib/text_helpers/translation.rb
+++ b/lib/text_helpers/translation.rb
@@ -12,7 +12,7 @@ def link(link, title, content)
       attributes = [
         ("href=\"#{link}\"" if link),
         ("title=\"#{title}\"" if title),
-        ("target=\"_blank\"" if link =~ PROTOCOL_MATCHER),
+        ("target=\"_blank\" rel=\"noopener\"" if link.match?(PROTOCOL_MATCHER)),
       ]
 
       "<a #{attributes.compact.join(" ")}>#{content}</a>"
@@ -44,7 +44,7 @@ def text(key, options = {})
       interpolation_options = { cascade: true }.merge(options)
 
       # Interpolate any keypaths (e.g., `!some.lookup.path/key!`) found in the text.
-      while text =~ KEYPATH_MATCHER do
+      while text.match?(KEYPATH_MATCHER) do
         text = text.gsub(KEYPATH_MATCHER) { |match| I18n.t($1, **interpolation_options) }
       end
 
diff --git a/test/lib/text_helpers/translation_test.rb b/test/lib/text_helpers/translation_test.rb
index 31cce09..0a30650 100644
--- a/test/lib/text_helpers/translation_test.rb
+++ b/test/lib/text_helpers/translation_test.rb
@@ -119,12 +119,12 @@
         assert_equal "<em>#{@scoped_text}</em>\n", @helper.html(:test_key, inline: true, orphans: true)
       end
 
-      it "renders internal links without a target" do
+      it "renders internal links without a target or rel" do
         assert_equal "<a href=\"/internal/path\">Internal&nbsp;link</a>\n", @helper.html(:internal_link, inline: true)
       end
 
-      it "renders external links with target='_blank'" do
-        assert_equal "<a href=\"http://external.com\" target=\"_blank\">External&nbsp;link</a>\n", @helper.html(:external_link, inline: true)
+      it "renders external links with target='_blank' and rel='noopener'" do
+        assert_equal "<a href=\"http://external.com\" target=\"_blank\" rel=\"noopener\">External&nbsp;link</a>\n", @helper.html(:external_link, inline: true)
       end
 
       it "interpolates values wrapped in !!" do