Prevent unsafe links to cross-origin destinations

When using `target="_blank"` to open a link to another page, it's
possible for the JavaScript on this newly opened tab to access the the
`window` of the initiating link, allowing content in the dom to be
modified to something that could deceive or harm the user. The fix for
this is to include the attribute `rel="noopener"` in the anchor tag
alongside `target="_blank"`. This ensures that any new browsing context
created by the hyperlink does not have the `window.opener` browsing
context. More details about this issue can be found here:

https://mathiasbynens.github.io/rel-noopener/

According to the link above, support for the `noopener` value was added
to these broweser versions:

  * Chrome 49
  * Firefox 55
  * Desktop Safari 10.1
  * iOS Safari 10.3

It's possible this could be implemented in Microsoft Edge, but I was not
able to confirm that. In order to support this fix on older versions of
the browsers above you have to set the rel attribute to `noreferrer`.
This disables the opener context but also disables the HTTP Referrer
header as well which might have an effect on referrer tracking through
legitimate links.

This was discovered through a customer security scan of an on-premise
Chef Supermarket installation. The recommended solution is to support
both `noopener` and `noreferrer`, however I think the decision to use
the second value is subjective and should be decided by the product
manager. So long as customer browsers are relatively up to date
(possible big leap?) only supporting `noopener` for now should be
sufficient.

Signed-off-by: Keith Walters <kwalters@taphere.com>

src/supermarket/app/helpers/markdown_helper.rb

@@ -7,7 +7,7 @@ class SupermarketRenderer < Redcarpet::Render::Safe
 
     def initialize(extensions = {})
       super extensions.merge(
-        link_attributes: { target: '_blank' },
+        link_attributes: { target: '_blank', rel: 'noopener' },
         with_toc_data: true
       )
     end

src/supermarket/app/views/layouts/application.html.erb

@@ -39,11 +39,11 @@
             <% end %>
           </ul>
           <ul class="off-canvas-list">
-            <li><%= link_to 'Get Chef', chef_www_url, target: '_blank' %></li>
-            <li><%= link_to 'Learn Chef', learn_chef_url, target: '_blank' %></li>
-            <li><%= link_to 'Docs', chef_docs_url, target: '_blank' %></li>
-            <li><%= link_to 'Training', chef_training_url, target: '_blank' %></li>
-            <li><%= link_to 'Botbot IRC Logs', 'https://botbot.me/freenode/chef', target: '_blank' %></li>
+            <li><%= link_to 'Get Chef', chef_www_url, target: '_blank', rel: 'noopener' %></li>
+            <li><%= link_to 'Learn Chef', learn_chef_url, target: '_blank', rel: 'noopener' %></li>
+            <li><%= link_to 'Docs', chef_docs_url, target: '_blank', rel: 'noopener' %></li>
+            <li><%= link_to 'Training', chef_training_url, target: '_blank', rel: 'noopener' %></li>
+            <li><%= link_to 'Botbot IRC Logs', 'https://botbot.me/freenode/chef', target: '_blank', rel: 'noopener' %></li>
           </ul>
         </aside>
 

src/supermarket/app/views/pages/dashboard.html.erb

@@ -53,7 +53,7 @@
         <li>Share your cookbook with <code>knife supermarket share COOKBOOK_NAME CATEGORY (options)</code></li>
       </ol>
 
-      <p><%= link_to 'Read the full share docs.', chef_docs_url('knife_supermarket.html#share'), target: '_blank' %></p>
+      <p><%= link_to 'Read the full share docs.', chef_docs_url('knife_supermarket.html#share'), target: '_blank', rel: 'noopener' %></p>
     <% end %>
 
     <h3>Cookbooks You Collaborate On</h3>

src/supermarket/app/views/pages/welcome.html.erb

@@ -26,44 +26,44 @@
           <%= link_to "Browse Cookbooks", cookbooks_path %>
         </li>
         <li>
-          <%= link_to 'Read the Chef Blog', chef_blog_url, target: '_blank' %>
+          <%= link_to 'Read the Chef Blog', chef_blog_url, target: '_blank', rel: 'noopener' %>
         </li>
       </ul>
     </div>
     <div>
       <h2>Learn</h2>
       <ul>
         <li>
-          <%= link_to 'Learn Chef', learn_chef_url, target: '_blank' %>
+          <%= link_to 'Learn Chef', learn_chef_url, target: '_blank', rel: 'noopener' %>
         </li>
         <li>
-          <%= link_to 'Read the Chef Docs', chef_docs_url, target: '_blank' %>
+          <%= link_to 'Read the Chef Docs', chef_docs_url, target: '_blank', rel: 'noopener' %>
         </li>
         <li>
-          <%= link_to 'Community Guidelines', chef_docs_url('community_guidelines.html'), target: '_blank' %>
+          <%= link_to 'Community Guidelines', chef_docs_url('community_guidelines.html'), target: '_blank', rel: 'noopener' %>
         </li>
         <li>
-          <%= link_to 'How to Contribute', chef_docs_url('community_contributions.html'), target: '_blank' %>
+          <%= link_to 'How to Contribute', chef_docs_url('community_contributions.html'), target: '_blank', rel: 'noopener' %>
         </li>
       </ul>
     </div>
     <div>
       <h2>Share</h2>
       <ul>
         <li>
-          <%= link_to 'Share your cookbooks', chef_docs_url('knife_supermarket.html#share'), target: '_blank' %>
+          <%= link_to 'Share your cookbooks', chef_docs_url('knife_supermarket.html#share'), target: '_blank', rel: 'noopener' %>
         </li>
         <li>
           <a href="http://community-slack.chef.io/">Join Chef Community Slack</a>
         </li>
         <li>
-          <a href="https://discourse.chef.io/" target="_blank">Join the Chef Mailing List</a>
+          <a href="https://discourse.chef.io/" target="_blank" rel="noopener">Join the Chef Mailing List</a>
         </li>
         <li>
-          <a href="https://github.com/chef/supermarket" target="_blank">Contribute to Supermarket</a>
+          <a href="https://github.com/chef/supermarket" target="_blank" rel="noopener">Contribute to Supermarket</a>
         </li>
         <li>
-          <a href="https://feedback.chef.io" target="_blank">Share Your Ideas for Improving Chef</a>
+          <a href="https://feedback.chef.io" target="_blank" rel="noopener">Share Your Ideas for Improving Chef</a>
         </li>
       </ul>
       </ul>

src/supermarket/app/views/tools/_tool.html.erb

@@ -25,7 +25,7 @@
   <div class="bottom">
     <div class="bottom-content">
       <% if tool.source_url.present? %>
-        <%= link_to 'View Source', tool.source_url, class: 'button tiny radius secondary', target: '_blank', itemprop: 'codeRepository' %>
+        <%= link_to 'View Source', tool.source_url, class: 'button tiny radius secondary', target: '_blank', rel: 'noopener', itemprop: 'codeRepository' %>
       <% end %>
 
       <% if policy(tool).update? %>

src/supermarket/app/views/users/_sidebar.html.erb

@@ -12,20 +12,20 @@
 
     <% if @user.twitter_username.present? %>
       <li class="has-tip" title="<%= posessivize(@user.name) %> Twitter Username">
-        <a href="https://twitter.com/<%= @user.twitter_username %>" target="_blank"><i class="fa fa-twitter"></i> <%= @user.twitter_username %></a>
+        <a href="https://twitter.com/<%= @user.twitter_username %>" target="_blank" rel="noopener"><i class="fa fa-twitter"></i> <%= @user.twitter_username %></a>
       </li>
     <% end %>
     <% if current_user %>
       <% if current_user.roles.include?('admin') && @user.email.present? %>
         <li class="has-tip" title="<%= posessivize(@user.name) %> Email">
-          <a href="mailto:<%= @user.email %>" target="_blank"><i class="fa fa-envelope"></i> <%= @user.email %></a>
+          <a href="mailto:<%= @user.email %>" target="_blank" rel="noopener"><i class="fa fa-envelope"></i> <%= @user.email %></a>
         </li>
       <% end %>
     <% end %>
 
     <% @user.accounts.for(:github).each do |account| %>
       <li class="has-tip" title="<%= posessivize(@user.name) %> GitHub Username">
-        <a href="https://github.com/<%= account.username %>" target="_blank"><i class="fa fa-github"></i> <%= account.username %></a>
+        <a href="https://github.com/<%= account.username %>" target="_blank" rel="noopener"><i class="fa fa-github"></i> <%= account.username %></a>
       </li>
     <% end %>
 

src/supermarket/spec/helpers/markdown_helper_spec.rb

@@ -18,7 +18,7 @@
 
     it 'auto renders links with target blank' do
       expect(helper.render_markdown('http://chef.io')).
-        to match(Regexp.quote('<a href="http://chef.io" target="_blank">http://chef.io</a>'))
+        to match(Regexp.quote('<a href="http://chef.io" target="_blank" rel="noopener">http://chef.io</a>'))
     end
   end
 
@@ -81,7 +81,7 @@
 
     it 'renders only one link when there is a link within a link' do
       html = helper.render_markdown('[text](http://example.com " [@chef](/cheffery) ")')
-      expect(html).to include("<p><a href=\"http://example.com\" title=\" [@chef](/cheffery) \" target=\"_blank\">text</a></p>")
+      expect(html).to include("<p><a href=\"http://example.com\" title=\" [@chef](/cheffery) \" target=\"_blank\" rel=\"noopener\">text</a></p>")
     end
 
     payloads = <<~PAYLOADS
@@ -161,7 +161,7 @@
       it "prevents URL & email detection combining with emphasis, does not put base64 shenanigans into the link" do
         payload = "_http://example_@.1 style=background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAABACAMAAADlCI9NAAACcFBMVEX/AAD//////f3//v7/0tL/AQH/cHD/Cwv/+/v/CQn/EBD/FRX/+Pj/ISH/PDz/6Oj/CAj/FBT/DAz/Bgb/rq7/p6f/gID/mpr/oaH/NTX/5+f/mZn/wcH/ICD/ERH/Skr/3Nz/AgL/trb/QED/z8//6+v/BAT/i4v/9fX/ZWX/x8f/aGj/ysr/8/P/UlL/8vL/T0//dXX/hIT/eXn/bGz/iIj/XV3/jo7/W1v/wMD/Hh7/+vr/t7f/1dX/HBz/zc3/nJz/4eH/Zmb/Hx//RET/Njb/jIz/f3//Ojr/w8P/Ghr/8PD/Jyf/mJj/AwP/srL/Cgr/1NT/5ub/PT3/fHz/Dw//eHj/ra3/IiL/DQ3//Pz/9/f/Ly//+fn/UFD/MTH/vb3/7Oz/pKT/1tb/2tr/jY3/6en/QkL/5OT/ubn/JSX/MjL/Kyv/Fxf/Rkb/sbH/39//iYn/q6v/qqr/Y2P/Li7/wsL/uLj/4+P/yMj/S0v/GRn/cnL/hob/l5f/s7P/Tk7/WVn/ior/09P/hYX/bW3/GBj/XFz/aWn/Q0P/vLz/KCj/kZH/5eX/U1P/Wlr/cXH/7+//Kir/r6//LS3/vr7/lpb/lZX/WFj/ODj/a2v/TU3/urr/tbX/np7/BQX/SUn/Bwf/4uL/d3f/ExP/y8v/NDT/KSn/goL/8fH/qan/paX/2Nj/HR3/4OD/VFT/Z2f/SEj/bm7/v7//RUX/Fhb/ycn/V1f/m5v/IyP/xMT/rKz/oKD/7e3/dHT/h4f/Pj7/b2//fn7/oqL/7u7/2dn/TEz/Gxv/6ur/3d3/Nzf/k5P/EhL/Dg7/o6P/UVHe/LWIAAADf0lEQVR4Xu3UY7MraRRH8b26g2Pbtn1t27Zt37Ft27Zt6yvNpPqpPp3GneSeqZo3z3r5T1XXL6nOFnc6nU6n0+l046tPruw/+Vil/C8tvfscquuuOGTPT2ZnRySwWaFQqGG8Y6j6Zzgggd0XChWLf/U1OFoQaVJ7AayUwPYALHEM6UCWBDYJbhXfHjUBOHvVqz8YABxfnDCArrED7jSAs13Px4Zo1jmA7eGEAXvXjRVQuQE4USWqp5pNoCthALePFfAQ0OcchoCGBAEPgPGiE7AiacChDfBmjjg7DVztAKRtnJsXALj/Hpiy2B9wofqW9AQAg8Bd8VOpCR02YMVEE4xli/L8AOmtQMQHsP9IGUBZedq/AWJfIez+x4KZqgDtBlbzon6A8GnonOwBXNONavlmUS2Dx8XTjcCwe1wNvGQB2gxaKhbV7Ubx3QC5bRMUuAEvA9kFzzW3TQAeVoB5cFw8zQUGPH9M4LwFgML5IpL6BHCvH0DmAD3xgIUpUJcTmy7UQHaV/bteKZ6GgGr3eAq4QQEmWlNqJ1z0BeTvgGfz4gAFsDXfUmbeAeoAF0OfuLL8C91jHnCtBchYq7YzsMsXIFkmDDsBjwBfi2o6GM9IrOshIp5mA6vc42Sg1wJMEVUJlPgDpBzWb3EAVsMOm5m7Hg5KrAjcJJ5uRn3uLAvosgBrRPUgnAgApC2HjtpRwFTneZRpqLs6Ak+Lp5lAj9+LccoCzLYPZjBA3gIGRgHj4EuxewH6JdZhKBVPM4CL7rEIiKo7kMAvILIEXplvA/bCR2JXAYMSawtkiqfaDHjNtYVfhzJJBvBGJ3zmADhv6054W71ZrBNvHZDigr0DDCcFkHeB8wog70G/2LXA+xIrh03i02Zgavx0Blo+SA5Q+yEcrVSAYvjYBhwEPrEoDZ+KX20wIe7G1ZtwTJIDyMYU+FwBeuGLpaLqg91NcqnqgQU9Yre/ETpzkwXIIKAAmRnQruboUeiVS1cHmF8pcv70bqBVkgak1tgAaYbuw9bj9kFjVN28wsJvxK9VFQDGzjVF7d9+9z1ARJIHyMxRQNo2SDn2408HBsY5njZJPcFbTomJo59H5HIAUmIDpPQXVGS0igfg7detBqptv/0ulwfIbbQB8kchVtNmiQsQUO7Qru37jpQX7WmS/6YZPXP+LPprbVgC0ul0Op1Op9Pp/gYrAa7fWhG7QQAAAABJRU5ErkJggg==);background-repeat:no-repeat;display:block;width:100%;height:100px; onclick=alert(unescape(/Oh%20No!/.source));return(false);//"
         html = helper.render_markdown(payload)
-        expect(html).to include('<p><em><a href="http://example" target="_blank">http://example</a></em>@.1 style=background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAABACAMAAADlCI9NAAACcFBMVEX/AAD//////f3//v7/0tL/AQH/cHD/Cwv/+/v/CQn/EBD/FRX/+Pj/ISH/PDz/6Oj/CAj/FBT/DAz/Bgb/rq7/p6f/gID/mpr/oaH/NTX/5+f/mZn/wcH/ICD/ERH/Skr/3Nz/AgL/trb/QED/z8//6+v/BAT/i4v/9fX/ZWX/x8f/aGj/ysr/8/P/UlL/8vL/T0//dXX/hIT/eXn/bGz/iIj/XV3/jo7/W1v/wMD/Hh7/+vr/t7f/1dX/HBz/zc3/nJz/4eH/Zmb/Hx//RET/Njb/jIz/f3//Ojr/w8P/Ghr/8PD/Jyf/mJj/AwP/srL/Cgr/1NT/5ub/PT3/fHz/Dw//eHj/ra3/IiL/DQ3//Pz/9/f/Ly//+fn/UFD/MTH/vb3/7Oz/pKT/1tb/2tr/jY3/6en/QkL/5OT/ubn/JSX/MjL/Kyv/Fxf/Rkb/sbH/39//iYn/q6v/qqr/Y2P/Li7/wsL/uLj/4+P/yMj/S0v/GRn/cnL/hob/l5f/s7P/Tk7/WVn/ior/09P/hYX/bW3/GBj/XFz/aWn/Q0P/vLz/KCj/kZH/5eX/U1P/Wlr/cXH/7+//Kir/r6//LS3/vr7/lpb/lZX/WFj/ODj/a2v/TU3/urr/tbX/np7/BQX/SUn/Bwf/4uL/d3f/ExP/y8v/NDT/KSn/goL/8fH/qan/paX/2Nj/HR3/4OD/VFT/Z2f/SEj/bm7/v7//RUX/Fhb/ycn/V1f/m5v/IyP/xMT/rKz/oKD/7e3/dHT/h4f/Pj7/b2//fn7/oqL/7u7/2dn/TEz/Gxv/6ur/3d3/Nzf/k5P/EhL/Dg7/o6P/UVHe/LWIAAADf0lEQVR4Xu3UY7MraRRH8b26g2Pbtn1t27Zt37Ft27Zt6yvNpPqpPp3GneSeqZo3z3r5T1XXL6nOFnc6nU6n0+l046tPruw/+Vil/C8tvfscquuuOGTPT2ZnRySwWaFQqGG8Y6j6Zzgggd0XChWLf/U1OFoQaVJ7AayUwPYALHEM6UCWBDYJbhXfHjUBOHvVqz8YABxfnDCArrED7jSAs13Px4Zo1jmA7eGEAXvXjRVQuQE4USWqp5pNoCthALePFfAQ0OcchoCGBAEPgPGiE7AiacChDfBmjjg7DVztAKRtnJsXALj/Hpiy2B9wofqW9AQAg8Bd8VOpCR02YMVEE4xli/L8AOmtQMQHsP9IGUBZedq/AWJfIez+x4KZqgDtBlbzon6A8GnonOwBXNONavlmUS2Dx8XTjcCwe1wNvGQB2gxaKhbV7Ubx3QC5bRMUuAEvA9kFzzW3TQAeVoB5cFw8zQUGPH9M4LwFgML5IpL6BHCvH0DmAD3xgIUpUJcTmy7UQHaV/bteKZ6GgGr3eAq4QQEmWlNqJ1z0BeTvgGfz4gAFsDXfUmbeAeoAF0OfuLL8C91jHnCtBchYq7YzsMsXIFkmDDsBjwBfi2o6GM9IrOshIp5mA6vc42Sg1wJMEVUJlPgDpBzWb3EAVsMOm5m7Hg5KrAjcJJ5uRn3uLAvosgBrRPUgnAgApC2HjtpRwFTneZRpqLs6Ak+Lp5lAj9+LccoCzLYPZjBA3gIGRgHj4EuxewH6JdZhKBVPM4CL7rEIiKo7kMAvILIEXplvA/bCR2JXAYMSawtkiqfaDHjNtYVfhzJJBvBGJ3zmADhv6054W71ZrBNvHZDigr0DDCcFkHeB8wog70G/2LXA+xIrh03i02Zgavx0Blo+SA5Q+yEcrVSAYvjYBhwEPrEoDZ+KX20wIe7G1ZtwTJIDyMYU+FwBeuGLpaLqg91NcqnqgQU9Yre/ETpzkwXIIKAAmRnQruboUeiVS1cHmF8pcv70bqBVkgak1tgAaYbuw9bj9kFjVN28wsJvxK9VFQDGzjVF7d9+9z1ARJIHyMxRQNo2SDn2408HBsY5njZJPcFbTomJo59H5HIAUmIDpPQXVGS0igfg7detBqptv/0ulwfIbbQB8kchVtNmiQsQUO7Qru37jpQX7WmS/6YZPXP+LPprbVgC0ul0Op1Op9Pp/gYrAa7fWhG7QQAAAABJRU5ErkJggg==);background-repeat:no-repeat;display:block;width:100%;height:100px; onclick=alert(unescape(/Oh%20No!/.source));return(false);//</p>')
+        expect(html).to include('<p><em><a href="http://example" target="_blank" rel="noopener">http://example</a></em>@.1 style=background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAABACAMAAADlCI9NAAACcFBMVEX/AAD//////f3//v7/0tL/AQH/cHD/Cwv/+/v/CQn/EBD/FRX/+Pj/ISH/PDz/6Oj/CAj/FBT/DAz/Bgb/rq7/p6f/gID/mpr/oaH/NTX/5+f/mZn/wcH/ICD/ERH/Skr/3Nz/AgL/trb/QED/z8//6+v/BAT/i4v/9fX/ZWX/x8f/aGj/ysr/8/P/UlL/8vL/T0//dXX/hIT/eXn/bGz/iIj/XV3/jo7/W1v/wMD/Hh7/+vr/t7f/1dX/HBz/zc3/nJz/4eH/Zmb/Hx//RET/Njb/jIz/f3//Ojr/w8P/Ghr/8PD/Jyf/mJj/AwP/srL/Cgr/1NT/5ub/PT3/fHz/Dw//eHj/ra3/IiL/DQ3//Pz/9/f/Ly//+fn/UFD/MTH/vb3/7Oz/pKT/1tb/2tr/jY3/6en/QkL/5OT/ubn/JSX/MjL/Kyv/Fxf/Rkb/sbH/39//iYn/q6v/qqr/Y2P/Li7/wsL/uLj/4+P/yMj/S0v/GRn/cnL/hob/l5f/s7P/Tk7/WVn/ior/09P/hYX/bW3/GBj/XFz/aWn/Q0P/vLz/KCj/kZH/5eX/U1P/Wlr/cXH/7+//Kir/r6//LS3/vr7/lpb/lZX/WFj/ODj/a2v/TU3/urr/tbX/np7/BQX/SUn/Bwf/4uL/d3f/ExP/y8v/NDT/KSn/goL/8fH/qan/paX/2Nj/HR3/4OD/VFT/Z2f/SEj/bm7/v7//RUX/Fhb/ycn/V1f/m5v/IyP/xMT/rKz/oKD/7e3/dHT/h4f/Pj7/b2//fn7/oqL/7u7/2dn/TEz/Gxv/6ur/3d3/Nzf/k5P/EhL/Dg7/o6P/UVHe/LWIAAADf0lEQVR4Xu3UY7MraRRH8b26g2Pbtn1t27Zt37Ft27Zt6yvNpPqpPp3GneSeqZo3z3r5T1XXL6nOFnc6nU6n0+l046tPruw/+Vil/C8tvfscquuuOGTPT2ZnRySwWaFQqGG8Y6j6Zzgggd0XChWLf/U1OFoQaVJ7AayUwPYALHEM6UCWBDYJbhXfHjUBOHvVqz8YABxfnDCArrED7jSAs13Px4Zo1jmA7eGEAXvXjRVQuQE4USWqp5pNoCthALePFfAQ0OcchoCGBAEPgPGiE7AiacChDfBmjjg7DVztAKRtnJsXALj/Hpiy2B9wofqW9AQAg8Bd8VOpCR02YMVEE4xli/L8AOmtQMQHsP9IGUBZedq/AWJfIez+x4KZqgDtBlbzon6A8GnonOwBXNONavlmUS2Dx8XTjcCwe1wNvGQB2gxaKhbV7Ubx3QC5bRMUuAEvA9kFzzW3TQAeVoB5cFw8zQUGPH9M4LwFgML5IpL6BHCvH0DmAD3xgIUpUJcTmy7UQHaV/bteKZ6GgGr3eAq4QQEmWlNqJ1z0BeTvgGfz4gAFsDXfUmbeAeoAF0OfuLL8C91jHnCtBchYq7YzsMsXIFkmDDsBjwBfi2o6GM9IrOshIp5mA6vc42Sg1wJMEVUJlPgDpBzWb3EAVsMOm5m7Hg5KrAjcJJ5uRn3uLAvosgBrRPUgnAgApC2HjtpRwFTneZRpqLs6Ak+Lp5lAj9+LccoCzLYPZjBA3gIGRgHj4EuxewH6JdZhKBVPM4CL7rEIiKo7kMAvILIEXplvA/bCR2JXAYMSawtkiqfaDHjNtYVfhzJJBvBGJ3zmADhv6054W71ZrBNvHZDigr0DDCcFkHeB8wog70G/2LXA+xIrh03i02Zgavx0Blo+SA5Q+yEcrVSAYvjYBhwEPrEoDZ+KX20wIe7G1ZtwTJIDyMYU+FwBeuGLpaLqg91NcqnqgQU9Yre/ETpzkwXIIKAAmRnQruboUeiVS1cHmF8pcv70bqBVkgak1tgAaYbuw9bj9kFjVN28wsJvxK9VFQDGzjVF7d9+9z1ARJIHyMxRQNo2SDn2408HBsY5njZJPcFbTomJo59H5HIAUmIDpPQXVGS0igfg7detBqptv/0ulwfIbbQB8kchVtNmiQsQUO7Qru37jpQX7WmS/6YZPXP+LPprbVgC0ul0Op1Op9Pp/gYrAa7fWhG7QQAAAABJRU5ErkJggg==);background-repeat:no-repeat;display:block;width:100%;height:100px; onclick=alert(unescape(/Oh%20No!/.source));return(false);//</p>')
       end
 
       it "escapes brackets to prevent meta tag manipulation" do