fix(core): add rel="noopener" in html templates with target="_blank"

This fix a possible vulnerability when opening external links.
tinesoft · Jul 7, 2021 · 4907c35 · 4907c35
1 parent a49b976
commit 4907c35
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -310,9 +310,9 @@ const cookieConfig:NgcCookieConsentConfig = {
   elements:{
     messagelink: `
     <span id="cookieconsent:desc" class="cc-message">{{message}} 
-      <a aria-label="learn more about cookies" tabindex="0" class="cc-link" href="{{cookiePolicyHref}}" target="_blank">{{cookiePolicyLink}}</a>, 
-      <a aria-label="learn more about our privacy policy" tabindex="1" class="cc-link" href="{{privacyPolicyHref}}" target="_blank">{{privacyPolicyLink}}</a> and our 
-      <a aria-label="learn more about our terms of service" tabindex="2" class="cc-link" href="{{tosHref}}" target="_blank">{{tosLink}}</a>
+      <a aria-label="learn more about cookies" tabindex="0" class="cc-link" href="{{cookiePolicyHref}}" target="_blank" rel="noopener">{{cookiePolicyLink}}</a>, 
+      <a aria-label="learn more about our privacy policy" tabindex="1" class="cc-link" href="{{privacyPolicyHref}}" target="_blank" rel="noopener">{{privacyPolicyLink}}</a> and our 
+      <a aria-label="learn more about our terms of service" tabindex="2" class="cc-link" href="{{tosHref}}" target="_blank" rel="noopener">{{tosLink}}</a>
     </span>
     `,
   },

diff --git a/apps/ngx-cookieconsent-demo/src/app/home/home.component.html b/apps/ngx-cookieconsent-demo/src/app/home/home.component.html
@@ -6,13 +6,13 @@
       </div>
       <div class="col-sm-8 text-center text-md-left">
         <h1>ngx-cookieconsent</h1>
-        <p><a href="https://cookieconsent.insites.com/" target="_blank">Cookie Consent</a> module for Angular.</p>
+        <p><a href="https://cookieconsent.insites.com/" target="_blank" rel="noopener">Cookie Consent</a> module for Angular.</p>
         <p>Scroll down to see it in action!</p>
         <p class="buttons">
-          <a class="btn btn-outline-primary btn-lg" href="https://cookieconsent.insites.com/" target="_blank"><i class="fa fa-info fa-lg"></i>  Learn More</a>
-          <a class="btn btn-outline-primary btn-lg" href="doc/index.html" target="_blank"><i class="fa fa-book fa-lg"></i>  Documentation</a>
+          <a class="btn btn-outline-primary btn-lg" href="https://cookieconsent.insites.com/" target="_blank" rel="noopener"><i class="fa fa-info fa-lg"></i>  Learn More</a>
+          <a class="btn btn-outline-primary btn-lg" href="doc/index.html" target="_blank" rel="noopener"><i class="fa fa-book fa-lg"></i>  Documentation</a>
           <a class="btn btn-outline-primary btn-lg" href="#" (click)="editOnStackBlitz()"><i class="fa fa-bolt fa-lg"></i>  Edit on StackBlitz</a>
-          <a class="btn btn-outline-primary btn-lg" href="https://github.com/tinesoft/ngx-cookieconsent" target="_blank" title="Code on Github"><i class="fa fa-github fa-lg"></i> </a>
+          <a class="btn btn-outline-primary btn-lg" href="https://github.com/tinesoft/ngx-cookieconsent" target="_blank" rel="noopener" title="Code on Github"><i class="fa fa-github fa-lg"></i> </a>
         </p>
 
       </div>

diff --git a/apps/ngx-cookieconsent-demo/src/app/home/playground/playground.component.html b/apps/ngx-cookieconsent-demo/src/app/home/playground/playground.component.html
@@ -180,5 +180,5 @@ <h2>Playground</h2>
   </div>
 </div>
 <p>
-    For help and additional options see the <a href="https://cookieconsent.insites.com/documentation" target="_blank">official documentation</a>.
+    For help and additional options see the <a href="https://cookieconsent.insites.com/documentation" target="_blank" rel="noopener">official documentation</a>.
 </p>
diff --git a/apps/ngx-cookieconsent-demo/src/app/shared/footer/footer.component.html b/apps/ngx-cookieconsent-demo/src/app/shared/footer/footer.component.html
@@ -1,6 +1,6 @@
 <footer class="bd-footer text-muted">
 	<div class="container">
-		<p> Coded with <i class="fa fa-heart heart"></i> by <a href="https://github.com/tinesoft" target="_blank">Tine Kondo</a>.</p>
-		<p> Code licensed under <a href="https://raw.githubusercontent.com/tinesoft/ngx-cookieconsent/master/LICENSE" target="_blank">MIT license conditions.</a></p>
+		<p> Coded with <i class="fa fa-heart heart"></i> by <a href="https://github.com/tinesoft" target="_blank" rel="noopener">Tine Kondo</a>.</p>
+		<p> Code licensed under <a href="https://raw.githubusercontent.com/tinesoft/ngx-cookieconsent/master/LICENSE" target="_blank" rel="noopener">MIT license conditions.</a></p>
 	</div>
 </footer>
diff --git a/libs/ngx-cookieconsent/src/lib/model/html-elements.ts b/libs/ngx-cookieconsent/src/lib/model/html-elements.ts
@@ -8,15 +8,15 @@ export class NgcHTMLElements {
 
   message ? = '<span id="cookieconsent:desc" class="cc-message">{{message}}</span>';
 
-  messagelink ? = '<span id="cookieconsent:desc" class="cc-message">{{message}} <a aria-label="learn more about cookies" tabindex="0" class="cc-link" href="{{href}}" target="_blank">{{link}}</a></span>';
+  messagelink ? = '<span id="cookieconsent:desc" class="cc-message">{{message}} <a aria-label="learn more about cookies" tabindex="0" class="cc-link" href="{{href}}" target="_blank" rel="noopener">{{link}}</a></span>';
 
   dismiss ? = '<a aria-label="dismiss cookie message" tabindex="0" class="cc-btn cc-dismiss">{{dismiss}}</a>';
 
   allow ? = '<a aria-label="allow cookies" tabindex="0" class="cc-btn cc-allow">{{allow}}</a>';
 
   deny ? = '<a aria-label="deny cookies" tabindex="0" class="cc-btn cc-deny">{{deny}}</a>';
 
-  link ? = '<a aria-label="learn more about cookies" tabindex="0" class="cc-link" href="{{href}}" target="_blank">{{link}}</a>';
+  link ? = '<a aria-label="learn more about cookies" tabindex="0" class="cc-link" href="{{href}}" target="_blank" rel="noopener">{{link}}</a>';
 
   close ? = '<span aria-label="dismiss cookie message" tabindex="0" class="cc-close">{{close}}</span>';
 

diff --git a/libs/ngx-cookieconsent/src/lib/service/cookieconsent-config.spec.ts b/libs/ngx-cookieconsent/src/lib/service/cookieconsent-config.spec.ts
@@ -76,11 +76,11 @@ describe('cookieconsent-config', () => {
 
         expect(config.elements.header).toEqual( '<span class="cc-header">{{header}}</span>&nbsp;');
         expect(config.elements.message).toEqual( '<span id="cookieconsent:desc" class="cc-message">{{message}}</span>');
-        expect(config.elements.messagelink).toEqual( '<span id="cookieconsent:desc" class="cc-message">{{message}} <a aria-label="learn more about cookies" tabindex="0" class="cc-link" href="{{href}}" target="_blank">{{link}}</a></span>');
+        expect(config.elements.messagelink).toEqual( '<span id="cookieconsent:desc" class="cc-message">{{message}} <a aria-label="learn more about cookies" tabindex="0" class="cc-link" href="{{href}}" target="_blank" rel="noopener">{{link}}</a></span>');
         expect(config.elements.dismiss).toEqual( '<a aria-label="dismiss cookie message" tabindex="0" class="cc-btn cc-dismiss">{{dismiss}}</a>');
         expect(config.elements.allow).toEqual( '<a aria-label="allow cookies" tabindex="0" class="cc-btn cc-allow">{{allow}}</a>');
         expect(config.elements.deny).toEqual( '<a aria-label="deny cookies" tabindex="0" class="cc-btn cc-deny">{{deny}}</a>');
-        expect(config.elements.link).toEqual( '<a aria-label="learn more about cookies" tabindex="0" class="cc-link" href="{{href}}" target="_blank">{{link}}</a>');
+        expect(config.elements.link).toEqual( '<a aria-label="learn more about cookies" tabindex="0" class="cc-link" href="{{href}}" target="_blank" rel="noopener">{{link}}</a>');
         expect(config.elements.close).toEqual( '<span aria-label="dismiss cookie message" tabindex="0" class="cc-close">{{close}}</span>');
         expect(config.elements.compliance).toBeUndefined();
     });