CVE-2020-14194: Use noopener/noreferrer for external links.

We fixed the main issue of this form in CVE-2020-9444, but the audit done at that time only included links found in rendered_markdown; this change completes our audit for links with target=_blank anywhere in the codebase.
2025-10-23 04:52:12 +00:00 · 2020-05-25 20:15:21 -07:00
parent 2e2004b6c3
commit 6d0c39fd7e
39 changed files with 100 additions and 93 deletions
--- a/static/templates/admin_emoji_list.hbs
+++ b/static/templates/admin_emoji_list.hbs
@@ -5,7 +5,7 @@
    </td>
    <td>
        <span class="emoji_image">
-            <a href="{{source_url}}" target="_blank">
+            <a href="{{source_url}}" target="_blank" rel="noopener noreferrer">
                <img src="{{source_url}}" alt="{{display_name}}" />
            </a>
        </span>
--- a/static/templates/admin_invites_list.hbs
+++ b/static/templates/admin_invites_list.hbs
@@ -2,7 +2,11 @@
 <tr class="invite_row">
    <td>
        {{#if is_multiuse}}
-        <span class="email"><a href="{{link_url}}" target="_blank">{{t 'Invite link'}}</a></span>
+        <span class="email">
            <a href="{{link_url}}" target="_blank" rel="noopener noreferrer">
                {{t 'Invite link'}}
            </a>
        </span>
        {{else}}
        <span class="email">{{email}}</span>
        {{/if}}
--- a/static/templates/recipient_row.hbs
+++ b/static/templates/recipient_row.hbs
@@ -32,7 +32,7 @@
            </span><span class="recipient_bar_controls no-select">
                {{! exterior links (e.g. to a trac ticket) }}
                {{#each topic_links}}
-                <a href="{{this}}" target="_blank" class="no-underline">
+                <a href="{{this}}" target="_blank" rel="noopener noreferrer" class="no-underline">
                    <i class="fa fa-external-link-square" aria-label="{{t 'External link' }}"></i>
                </a>
                {{/each}}
--- a/static/templates/settings/account_settings.hbs
+++ b/static/templates/settings/account_settings.hbs
@@ -39,7 +39,7 @@
            {{#if page_params.two_fa_enabled }}
            <p for="two_factor_auth" class="inline-block title">
                {{t "Two factor authentication" }}: {{#if page_params.two_fa_enabled_user }}{{t "Enabled" }}{{else}}{{t "Disabled" }}{{/if}}
-                <a target="_blank" id="two_factor_auth" href="/account/two_factor/" title="{{t 'Setup two factor authentication' }}">[{{t "Setup" }}]</a>
+                <a target="_blank" rel="noopener noreferrer" id="two_factor_auth" href="/account/two_factor/" title="{{t 'Setup two factor authentication' }}">[{{t "Setup" }}]</a>
            </p>
            {{/if}}
@@ -99,7 +99,7 @@
                            <label for="old_password" class="title">{{t "Old password" }}</label>
                            <input type="password" autocomplete="off" name="old_password" id="old_password" class="w-200 inline-block" value="" />
                            <div class="info">
-                                <a href="/accounts/password/reset/" class="sea-green" target="_blank">{{t "Forgotten it?" }}</a>
+                                <a href="/accounts/password/reset/" class="sea-green" target="_blank" rel="noopener noreferrer">{{t "Forgotten it?" }}</a>
                            </div>
                        </div>
@@ -160,7 +160,7 @@
                        &times;
                    </span>
                    <div id="user-avatar-source">
-                        <a href="https://en.gravatar.com/" target="_blank">{{t "Avatar from Gravatar" }}</a>
+                        <a href="https://en.gravatar.com/" target="_blank" rel="noopener noreferrer">{{t "Avatar from Gravatar" }}</a>
                    </div>
                </div>
                <input type="file" name="user_avatar_file_input" class="notvisible" id="user_avatar_file_input" value="{{t 'Upload profile picture' }}" />
--- a/static/templates/settings/api_key_modal.hbs
+++ b/static/templates/settings/api_key_modal.hbs
@@ -11,7 +11,10 @@
        <div id="password_confirmation">
            <form id="api_key_form">
                <p>{{t "Please re-enter your password to confirm your identity." }}
-                    <a href="/accounts/password/reset/" target="_blank">{{t "Never had one? Forgotten it?" }}</a></p>
+                    <a href="/accounts/password/reset/" target="_blank" rel="noopener noreferrer">
                        {{t "Never had one? Forgotten it?" }}
                    </a>
                </p>
                <div class="control-group">
                    <label for="password" class="control-label">{{t "Current password" }}</label>
                    <input type="password" autocomplete="off" name="password" id="get_api_key_password" value="" />
--- a/static/templates/settings/bot_settings.hbs
+++ b/static/templates/settings/bot_settings.hbs
@@ -2,7 +2,7 @@
    <div class="bot-settings-form">
        {{#unless page_params.is_guest}}
        <div class="tip">
-            {{#tr this}}Looking for our <a href="/integrations" target="_blank">Integrations</a> or <a href="/api" target="_blank">API</a> documentation?{{/tr}}
+            {{#tr this}}Looking for our <a href="/integrations" target="_blank" rel="noopener noreferrer">Integrations</a> or <a href="/api" rel="noopener noreferrer" target="_blank">API</a> documentation?{{/tr}}
        </div>
        <div class="tip bot-settings-tip"></div>
--- a/static/templates/settings/data_exports_admin.hbs
+++ b/static/templates/settings/data_exports_admin.hbs
@@ -1,6 +1,6 @@
 <div id="data-exports" class="settings-section" data-name="data-exports-admin">
    <h3>{{t "Data exports" }}
-        <a href="/help/export-your-organization" target="_blank">
+        <a href="/help/export-your-organization" target="_blank" rel="noopener noreferrer">
            <i class="fa fa-question-circle-o" aria-hidden="true"></i>
        </a>
    </h3>
@@ -10,7 +10,7 @@
        {{t 'Depending on the size of your organization, an export can take anywhere from seconds to an hour.' }}
    </p>
    <p>
-        {{#tr this}}<a href="/help/export-your-organization" target="_blank">Click here</a> to learn about exporting private streams and messages.{{/tr}}
+        {{#tr this}}<a href="/help/export-your-organization" target="_blank" rel="noopener noreferrer">Click here</a> to learn about exporting private streams and messages.{{/tr}}
        {{t 'Note that organizations are limited to five exports per week.' }}
    </p>
--- a/static/templates/settings/deactivated_users_admin.hbs
+++ b/static/templates/settings/deactivated_users_admin.hbs
@@ -1,6 +1,6 @@
 <div id="admin-deactivated-users-list" class="settings-section" data-name="deactivated-users-admin">
    <h3 class="inline-block">{{t "Deactivated users" }}
-        <a href="/help/deactivate-or-reactivate-a-user" target="_blank">
+        <a href="/help/deactivate-or-reactivate-a-user" target="_blank" rel="noopener noreferrer">
            <i class="fa fa-question-circle-o" aria-hidden="true"></i>
        </a>
    </h3>
--- a/static/templates/settings/display_settings.hbs
+++ b/static/templates/settings/display_settings.hbs
@@ -31,7 +31,7 @@
            <div class="input-group">
                <label for="demote_inactive_streams" class="dropdown-title">{{t "Demote inactive streams" }}
-                    <a href="/help/manage-inactive-streams" target="_blank">
+                    <a href="/help/manage-inactive-streams" target="_blank" rel="noopener noreferrer">
                        <i class="fa fa-question-circle-o" aria-hidden="true"></i>
                    </a>
                </label>
--- a/static/templates/settings/linkifier_settings_admin.hbs
+++ b/static/templates/settings/linkifier_settings_admin.hbs
@@ -36,7 +36,7 @@
        </ul>
        <p>
            {{#tr this}}
-            More details are available <a href="/help/add-a-custom-linkification-filter" target="_blank">in the Help Center article</a>.
+            More details are available <a href="/help/add-a-custom-linkification-filter" target="_blank" rel="noopener noreferrer">in the Help Center article</a>.
            {{/tr}}
        </p>
--- a/static/templates/settings/organization_permissions_admin.hbs
+++ b/static/templates/settings/organization_permissions_admin.hbs
@@ -68,7 +68,7 @@
                <div class="input-group">
                    <label for="realm_waiting_period_setting" class="dropdown-title">
                        {{t "Waiting period before new members turn into full members" }}
-                        <a href="/help/restrict-permissions-of-new-members" target="_blank">
+                        <a href="/help/restrict-permissions-of-new-members" target="_blank" rel="noopener noreferrer">
                            <i class="fa fa-question-circle-o" aria-hidden="true"></i>
                        </a>
                    </label>
@@ -132,7 +132,7 @@
                <div class="input-group">
                    <label for="realm_email_address_visibility">{{t "Who can access user email addresses" }}
-                        <a href="/help/restrict-visibility-of-email-addresses" target="_blank">
+                        <a href="/help/restrict-visibility-of-email-addresses" target="_blank" rel="noopener noreferrer">
                            <i class="fa fa-question-circle-o" aria-hidden="true"></i>
                        </a>
                    </label>
--- a/static/templates/settings/organization_profile_admin.hbs
+++ b/static/templates/settings/organization_profile_admin.hbs
@@ -5,7 +5,7 @@
        <div id="org-org-profile" class="org-subsection-parent">
            <div class="subsection-header">
                <h3>{{t "Organization profile" }}
-                    <a href="/help/create-your-organization-profile" target="_blank">
+                    <a href="/help/create-your-organization-profile" target="_blank" rel="noopener noreferrer">
                        <i class="fa fa-question-circle-o" aria-hidden="true"></i>
                    </a>
                </h3>
@@ -45,20 +45,20 @@
                  id="realm_icon_delete_button">{{t 'Delete profile picture' }}</button>
            </div>
        </div>
-        <a href="/login/?preview=true" target="_blank" class="button rounded sea-green w-200 block" id="id_org_profile_preview">
+        <a href="/login/?preview=true" target="_blank" rel="noopener noreferrer" class="button rounded sea-green w-200 block" id="id_org_profile_preview">
            {{t 'Preview organization profile' }}
            <i class="fa fa-external-link" aria-hidden="true" title="{{t 'Preview organization profile' }}"></i>
        </a>
        <div class="subsection-header">
            <h3>{{t "Organization logo" }}
-                <a href="/help/create-your-organization-profile#add-a-wide-logo" target="_blank">
+                <a href="/help/create-your-organization-profile#add-a-wide-logo" target="_blank" rel="noopener noreferrer">
                    <i class="fa fa-question-circle-o" aria-hidden="true"></i>
                </a>
            </h3>
            <div>
                {{#unless plan_includes_wide_organization_logo}}
-                <a href="/upgrade" class="upgrade-tip" target="_blank">
+                <a href="/upgrade" class="upgrade-tip" target="_blank" rel="noopener noreferrer">
                    {{upgrade_text_for_wide_organization_logo}}
                </a>
                {{/unless}}
--- a/static/templates/settings/organization_settings_admin.hbs
+++ b/static/templates/settings/organization_settings_admin.hbs
@@ -6,7 +6,7 @@
        <div id="org-msg-editing" class="org-subsection-parent">
            <div class="subsection-header">
                <h3>{{t "Message editing" }}
-                    <a href="/help/configure-message-editing-and-deletion" target="_blank">
+                    <a href="/help/configure-message-editing-and-deletion" target="_blank" rel="noopener noreferrer">
                        <i class="fa fa-question-circle-o" aria-hidden="true"></i>
                    </a>
                </h3>
@@ -191,7 +191,7 @@
                        {{/each}}
                    </select>
                    <div id="google_hangouts_domain">
-                        <label>{{t 'Domain for your <a href="https://gsuite.google.com" target="_blank">G Suite team</a> (required)' }}:</label>
+                        <label>{{t 'Domain for your <a href="https://gsuite.google.com" target="_blank" rel="noopener noreferrer">G Suite team</a> (required)' }}:</label>
                        <input type="text" id="id_realm_google_hangouts_domain"
                          name="realm_google_hangouts_domain"
                          autocomplete="off"
--- a/static/templates/settings/upload_space_stats.hbs
+++ b/static/templates/settings/upload_space_stats.hbs
@@ -1,4 +1,4 @@
 <span>
    {{#tr this}}Organization using __percent_used__% of __upload_quota__.{{/tr}}
-    {{#if show_upgrade_message}}{{#tr this}}<a href="/upgrade" target="_blank">Upgrade</a> for more space.{{/tr}}{{/if}}
+    {{#if show_upgrade_message}}{{#tr this}}<a href="/upgrade" target="_blank" rel="noopener noreferrer">Upgrade</a> for more space.{{/tr}}{{/if}}
 </span>
--- a/static/templates/stream_creation_form.hbs
+++ b/static/templates/stream_creation_form.hbs
@@ -24,7 +24,7 @@
                    {{t "Stream permissions" }}
                </div>
                <div class="stream-creation-info">
-                    {{t 'These settings are explained in detail in the <a target="_blank" href="/help/stream-permissions">help center</a>.'}}
+                    {{t 'These settings are explained in detail in the <a target="_blank" rel="noopener noreferrer" href="/help/stream-permissions">help center</a>.'}}
                </div>
                {{> stream_types is_public=true }}
--- a/static/templates/subscription_settings.hbs
+++ b/static/templates/subscription_settings.hbs
@@ -74,7 +74,7 @@
            <div class="stream-email-box" {{#unless sub.email_address}}style="display: none;"{{/unless}}>
                <label class="sub_settings_title">
                    {{t "Email address" }}
-                    <a href="/help/message-a-stream-by-email" target="_blank">
+                    <a href="/help/message-a-stream-by-email" target="_blank" rel="noopener noreferrer">
                        <i class="fa fa-question-circle-o" aria-hidden="true"></i>
                    </a>
                </label>
--- a/static/templates/subscription_table_body.hbs
+++ b/static/templates/subscription_table_body.hbs
@@ -31,7 +31,7 @@
                <div class="nothing-selected">
                    {{#if can_create_streams}}
                    <button type="button" class="create_stream_button button small rounded">{{t 'Create stream' }}</button>
-                    <span>{{t 'First time? Read our <a href="/help/getting-your-organization-started-with-zulip#create-streams" target="_blank">guidelines</a> for creating and naming streams.' }}</span>
+                    <span>{{t 'First time? Read our <a href="/help/getting-your-organization-started-with-zulip#create-streams" target="_blank" rel="noopener noreferrer">guidelines</a> for creating and naming streams.' }}</span>
                    {{/if}}
                </div>
                <div class="settings" data-simplebar data-simplebar-auto-hide="false">
--- a/static/templates/uploaded_files_list.hbs
+++ b/static/templates/uploaded_files_list.hbs
@@ -1,7 +1,7 @@
 {{#with attachment}}
 <tr class="uploaded_file_row" id="{{name}}" data-attachment-id="{{id}}">
    <td>
-        <a type="submit" href="/user_uploads/{{path_id}}" target="_blank" title="{{t 'View file' }}">
+        <a type="submit" href="/user_uploads/{{path_id}}" target="_blank" rel="noopener noreferrer" title="{{t 'View file' }}">
            {{ name }}
        </a>
    </td>
--- a/static/templates/user_groups_admin.hbs
+++ b/static/templates/user_groups_admin.hbs
@@ -9,7 +9,7 @@
    {{#unless is_guest}}
        <p>
-            {{#tr this}}User groups allow you to <a href="/help/mention-a-user-or-group" target="_blank">mention</a> multiple users at once. When you mention a user group, everyone in the group is notified as if they were individually mentioned.{{/tr}}
+            {{#tr this}}User groups allow you to <a href="/help/mention-a-user-or-group" target="_blank" rel="noopener noreferrer">mention</a> multiple users at once. When you mention a user group, everyone in the group is notified as if they were individually mentioned.{{/tr}}
        </p>
        {{#if (or is_admin (eq realm_user_group_edit_policy USER_GROUP_EDIT_POLICY_MEMBERS))}}
        <form class="form-horizontal admin-user-group-form">
--- a/static/templates/user_profile_modal.hbs
+++ b/static/templates/user_profile_modal.hbs
@@ -50,9 +50,9 @@
                        <div class="input" contenteditable="false" style="display: none;"></div>
                    </div>
                    {{else if this.is_link}}
-                    <a href="{{this.value}}" target="_blank" class="value">{{this.value}}</a>
+                    <a href="{{this.value}}" target="_blank" rel="noopener noreferrer" class="value">{{this.value}}</a>
                    {{else if this.is_external_account}}
-                    <a href="{{this.link}}" target="_blank" class="value">{{this.value}}</a>
+                    <a href="{{this.link}}" target="_blank" rel="noopener noreferrer" class="value">{{this.value}}</a>
                {{else}}
                    {{#if this.rendered_value}}
                    <div class="value rendered_markdown">{{rendered_markdown this.rendered_value}}</div>
--- a/templates/analytics/realm_details.html
+++ b/templates/analytics/realm_details.html
@@ -1,8 +1,8 @@
 <span class="label">realm</span>
 <h3><img src="{{ realm_icon_url(realm) }}" class="support-realm-icon"> {{ realm.name }}</h3>
-<b>URL</b>: <a target="_blank" href="{{ realm.uri }}">{{ realm.uri }}</a> |
+<b>URL</b>: <a target="_blank" rel="noopener noreferrer" href="{{ realm.uri }}">{{ realm.uri }}</a> |
-<a target="_blank" href="/stats/realm/{{ realm.string_id }}/">stats</a> |
+<a target="_blank" rel="noopener noreferrer" href="/stats/realm/{{ realm.string_id }}/">stats</a> |
-<a target="_blank" href="/realm_activity/{{ realm.string_id }}/">activity</a><br>
+<a target="_blank" rel="noopener noreferrer" href="/realm_activity/{{ realm.string_id }}/">activity</a><br>
 <b>Date created</b>: {{ realm.date_created|timesince }} ago<br>
 <b>Admins</b>: {{ realm_admin_emails(realm) }}
 <a title="Copy emails" class="copy-button" data-copytext="{{ realm_admin_emails(realm) }}">
--- a/templates/zerver/accounts_accept_terms.html
+++ b/templates/zerver/accounts_accept_terms.html
@@ -40,7 +40,7 @@ the registration flow has its own (nearly identical) copy of the fields below in
                        <input id="id_terms" class="required" type="checkbox" name="terms"
                          {% if form.terms.value() %}checked="checked"{% endif %} />
                        <span></span>
-                        {% trans %}I agree to the <a href="{{ root_domain_uri }}/terms" target="_blank">Terms of Service</a>.{% endtrans %}
+                        {% trans %}I agree to the <a href="{{ root_domain_uri }}/terms" target="_blank" rel="noopener noreferrer">Terms of Service</a>.{% endtrans %}
                    </label>
                    {% if form.terms.errors %}
                        {% for error in form.terms.errors %}
--- a/templates/zerver/app/home.html
+++ b/templates/zerver/app/home.html
@@ -13,7 +13,7 @@
            <i class="fa fa-exclamation-circle" aria-hidden="true"></i>
            {% trans %}
            Some older messages are unavailable.
-            <a href="/plans/" target="_blank">Upgrade your organization</a>
+            <a href="/plans/" target="_blank" rel="noopener noreferrer">Upgrade your organization</a>
            to access your full message history.
            {% endtrans %}
        </p>
@@ -24,7 +24,7 @@
            {% trans %}
            End of results from your
            <a href="/help/search-for-messages#searching-shared-history"
-              target="_blank">personal history</a>.
+              target="_blank" rel="noopener noreferrer">personal history</a>.
            Consider <a class="search-shared-history" href="">searching all public streams</a>.
            {% endtrans %}
        </p>
--- a/templates/zerver/app/index.html
+++ b/templates/zerver/app/index.html
@@ -78,7 +78,7 @@
                We recommend that
                you <a class="webathena_login">give Zulip the ability to mirror the messages for you via
                WebAthena</a>.  If you'd prefer, you can instead
-                <a href="/zephyr-mirror" target="_blank">run the
+                <a href="/zephyr-mirror" target="_blank" rel="noopener noreferrer">run the
                Zephyr mirror script yourself</a> in a screen
                session.
            </span>
--- a/templates/zerver/app/keyboard_shortcuts.html
+++ b/templates/zerver/app/keyboard_shortcuts.html
@@ -308,6 +308,6 @@
            </table>
        </div>
        <hr/>
-        <a href="/help/keyboard-shortcuts" target="_blank">{% trans %}Detailed keyboard shortcuts documentation{% endtrans %}</a>
+        <a href="/help/keyboard-shortcuts" target="_blank" rel="noopener noreferrer">{% trans %}Detailed keyboard shortcuts documentation{% endtrans %}</a>
    </div>
 </div>
--- a/templates/zerver/app/lightbox_overlay.html
+++ b/templates/zerver/app/lightbox_overlay.html
@@ -10,7 +10,7 @@
                <div class="title">{{ _('Pan &amp; Zoom') }}</div>
                <div class="status" data-disabled="{{ _('Disabled') }}" data-enabled="{{ _('Enabled') }}"></div>
            </div>
-            <a class="button small open" target="_blank">{{ _('Open') }}</a>
+            <a class="button small open" rel="noopener noreferrer" target="_blank">{{ _('Open') }}</a>
            <a class="button small download" download>{{ _('Download') }}</a>
        </div>
        <div class="clear-float"></div>
--- a/templates/zerver/app/markdown_help.html
+++ b/templates/zerver/app/markdown_help.html
@@ -26,7 +26,7 @@
                    </tr>
                    <tr>
                        <td>[Zulip website](https://zulip.org) (or <kbd>Ctrl + Shift + L</kbd>)</td>
-                        <td class="rendered_markdown"><a href="https://zulip.org" target="_blank">Zulip website</a></td>
+                        <td class="rendered_markdown"><a href="https://zulip.org" target="_blank" rel="noopener noreferrer">Zulip website</a></td>
                    </tr>
                    <tr>
                        <td>* Milk<br/>
@@ -61,7 +61,7 @@
                        </td>
                    </tr>
                    <tr>
-                        <td>:heart: (and <a href="http://www.emoji-cheat-sheet.com/" target="_blank">many others</a>, from the <a href="https://code.google.com/p/noto/" target="_blank">Noto Project</a>)</td>
+                        <td>:heart: (and <a href="http://www.emoji-cheat-sheet.com/" target="_blank" rel="noopener noreferrer">many others</a>, from the <a href="https://code.google.com/p/noto/" target="_blank" rel="noopener noreferrer">Noto Project</a>)</td>
                        <td class="rendered_markdown"><img alt=":heart:" class="emoji" src="/static/generated/emoji/images/emoji/heart.png" title=":heart:" /></td>
                    </tr>
                    <tr>
@@ -113,7 +113,7 @@ def zulip():
                    </tr>
                    <tr>
                        <td colspan="2">{% trans %}To add syntax highlighting to a multi-line code block,
-                          add the language's <b>first</b> <a target="_blank" href="http://pygments.org/docs/lexers/">Pygments short name</a>
+                          add the language's <b>first</b> <a target="_blank" rel="noopener noreferrer" href="http://pygments.org/docs/lexers/">Pygments short name</a>
                          after the first set of back-ticks.
                          You can also make a code block by indenting each line with 4 spaces.{% endtrans %}</td>
                    </tr>
@@ -143,9 +143,9 @@ Quoted block
                        </td>
                    </tr>
                    <tr>
-                        <td class="rendered_markdown" colspan="2">{% trans %}You can also make <a target="_blank"
+                        <td class="rendered_markdown" colspan="2">{% trans %}You can also make <a target="_blank" rel="noopener noreferrer"
                            href="https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet#wiki-tables">tables</a>
-                            with this <a target="_blank"
+                            with this <a target="_blank" rel="noopener noreferrer"
                                          href="https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet#wiki-tables">Markdown-ish
                        table syntax</a>.{% endtrans %}</td>
                    </tr>
@@ -153,6 +153,6 @@ Quoted block
            </table>
        </div>
    <hr/>
-    <a href="/help/format-your-message-using-markdown" target="_blank">Detailed message formatting documentation</a>
+    <a href="/help/format-your-message-using-markdown" target="_blank" rel="noopener noreferrer">Detailed message formatting documentation</a>
    </div>
 </div>
--- a/templates/zerver/app/navbar.html
+++ b/templates/zerver/app/navbar.html
@@ -80,7 +80,7 @@
                            </li>
                            <li class="divider"></li>
                            <li role="presentation">
-                                <a href="/help" target="_blank" role="menuitem">
+                                <a href="/help" target="_blank" rel="noopener noreferrer" role="menuitem">
                                    <i class="fa fa-question-circle" aria-hidden="true"></i> {{ _('Help center') }}
                                </a>
                            </li>
@@ -101,23 +101,23 @@
                            </li>
                            <li class="divider" role="presentation"></li>
                            <li role="presentation">
-                                <a href="{{ apps_page_url }}" target="_blank" role="menuitem">
+                                <a href="{{ apps_page_url }}" target="_blank" rel="noopener noreferrer" role="menuitem">
                                    <i class="fa fa-desktop" aria-hidden="true"></i> {{ _('Desktop & mobile apps') }}
                                </a>
                            </li>
                            <li role="presentation">
-                                <a href="/integrations" target="_blank" role="menuitem">
+                                <a href="/integrations" target="_blank" rel="noopener noreferrer" role="menuitem">
                                    <i class="fa fa-github" aria-hidden="true"></i> {{ _('Integrations') }}
                                </a>
                            </li>
                            <li role="presentation">
-                                <a href="/api" target="_blank" role="menuitem">
+                                <a href="/api" target="_blank" rel="noopener noreferrer" role="menuitem">
                                    <i class="fa fa-sitemap" aria-hidden="true"></i> {{ _('API documentation') }}
                                </a>
                            </li>
                            {% if not is_guest %}
                            <li role="presentation">
-                                <a href="/stats" target="_blank" role="menuitem">
+                                <a href="/stats" target="_blank" rel="noopener noreferrer" role="menuitem">
                                    <i class="fa fa-bar-chart" aria-hidden="true"></i>
                                    <span>{{ _('Statistics') }}</span>
                                </a>
@@ -125,14 +125,14 @@
                            {% endif %}
                            {% if show_plans %}
                            <li role="presentation">
-                                <a href="/plans" target="_blank" role="menuitem">
+                                <a href="/plans" target="_blank" rel="noopener noreferrer" role="menuitem">
                                    <i class="fa fa-rocket" aria-hidden="true"></i> {{ _('Plans and pricing') }}
                                </a>
                            </li>
                            {% endif %}
                            {% if show_billing %}
                            <li role="presentation">
-                                <a href="/billing" target="_blank" role="menuitem">
+                                <a href="/billing" target="_blank" rel="noopener noreferrer" role="menuitem">
                                    <i class="fa fa-credit-card" aria-hidden="true"></i> {{ _('Billing') }}
                                </a>
                            </li>
--- a/templates/zerver/app/navbar_alerts.html
+++ b/templates/zerver/app/navbar_alerts.html
@@ -21,7 +21,7 @@
        <span class="close" data-dismiss="alert" aria-label="{{ _('Close') }}">&times;</span>
        <div data-step="1">
            {% trans %}Zulip needs to send email to confirm users' addresses and send notifications.{% endtrans %}
-            <a class="alert-link" href="https://zulip.readthedocs.io/en/latest/production/email.html" target="_blank">
+            <a class="alert-link" href="https://zulip.readthedocs.io/en/latest/production/email.html" target="_blank" rel="noopener noreferrer">
                {% trans %}See how to configure email.{% endtrans %}
            </a>
        </div>
@@ -31,7 +31,7 @@
        <div data-step="1">
            {% trans %}
            You are using an old version of the Zulip desktop app with known security bugs.
-            <a class="alert-link" href="https://zulipchat.com/apps" target="_blank">
+            <a class="alert-link" href="https://zulipchat.com/apps" target="_blank" rel="noopener noreferrer">
                Download the latest version.
            </a>
            {% endtrans %}
--- a/templates/zerver/app/search_operators.html
+++ b/templates/zerver/app/search_operators.html
@@ -113,6 +113,6 @@
            {% endtrans %}
        </p>
        <hr/>
-        <a href="/help/search-for-messages#search-operators" target="_blank">{% trans %}Detailed search operators documentation{% endtrans %}</a>
+        <a href="/help/search-for-messages#search-operators" target="_blank" rel="noopener noreferrer">{% trans %}Detailed search operators documentation{% endtrans %}</a>
    </div>
 </div>
--- a/templates/zerver/apps.html
+++ b/templates/zerver/apps.html
@@ -22,7 +22,7 @@
                    <div class="cta">
                        <h1>Zulip for <span class="platform"></span></h1>
                        <p class="description"></p>
-                        <p class="download-instructions">For download instructions, go to the <a class="silver bold" href="/help/desktop-app-install-guide" target="_blank">desktop app install guide</a>.</p>
+                        <p class="download-instructions">For download instructions, go to the <a class="silver bold" href="/help/desktop-app-install-guide" target="_blank" rel="noopener noreferrer">desktop app install guide</a>.</p>
                        <a class="link no-action" href=""><span class="button green">Download Zulip for <span class="platform"></span></span></a>
                        <span id="download-android-apk"><a href="https://github.com/zulip/zulip-mobile/releases/latest">or manually download APK</a></span>
                    </div>
--- a/templates/zerver/config_error.html
+++ b/templates/zerver/config_error.html
@@ -37,7 +37,7 @@
                        {% else %}
                        <p>
                            Please have a look at our
-                            <a target="_blank" href="https://zulip.readthedocs.io/en/latest/subsystems/email.html#development-and-testing">
+                            <a target="_blank" rel="noopener noreferrer" href="https://zulip.readthedocs.io/en/latest/subsystems/email.html#development-and-testing">
                            setup guide</a> for forwarding emails sent in development
                            environment to an email account.
                        </p>
--- a/templates/zerver/email_log.html
+++ b/templates/zerver/email_log.html
@@ -49,7 +49,7 @@
                    <br/>
                    <div class="alert alert-info">
                        You must setup SMTP as described
-                        <a target="_blank" href="https://zulip.readthedocs.io/en/latest/subsystems/email.html#development-and-testing">
+                        <a target="_blank" rel="noopener noreferrer" href="https://zulip.readthedocs.io/en/latest/subsystems/email.html#development-and-testing">
                        here</a> first before enabling this.
                    </div>
                </form>
--- a/templates/zerver/features.html
+++ b/templates/zerver/features.html
@@ -94,7 +94,7 @@
            <p>Communicate as efficiently as you use your favorite
                text editor.  Anything you can do with a mouse, you
                can do even faster from the keyboard.
-                <a class="cta" href="/help/keyboard-shortcuts" target="_blank">
+                <a class="cta" href="/help/keyboard-shortcuts" target="_blank" rel="noopener noreferrer">
                Learn more about keyboard shortcuts.</a>
            </p>
        </div>
@@ -104,7 +104,7 @@
    <section>
        <h2>Apps, Integrations, and API</h2>
-        <a class="feature-block" href="/integrations" target="_blank">
+        <a class="feature-block" href="/integrations" target="_blank" rel="noopener noreferrer">
            <h3>INTEGRATIONS</h3>
            <p>
                Get alerts and updates from your favorite services with
@@ -112,7 +112,7 @@
                Jenkins, and more.
            </p>
        </a>
-        <a class="feature-block" href="/api" target="_blank">
+        <a class="feature-block" href="/api" target="_blank" rel="noopener noreferrer">
            <h3>API</h3>
            <p>
                Want to roll your own notifications? We've got a
@@ -120,12 +120,12 @@
                integrations—both sending and receiving—a snap!
            </p>
        </a>
-        <a class="feature-block" href="/apps" target="_blank">
+        <a class="feature-block" href="/apps" target="_blank" rel="noopener noreferrer">
            <h3>MOBILE APPS</h3>
            <p>Keep up while on the go with our native quality iOS and
            Android apps.</p>
        </a>
-        <a class="feature-block" href="/apps" target="_blank">
+        <a class="feature-block" href="/apps" target="_blank" rel="noopener noreferrer">
            <h3>DESKTOP APPS</h3>
            <p>Prefer Zulip in its own window and rich, OS-level
            notifications? Enjoy Zulip on your desktop.</p>
@@ -139,14 +139,14 @@
    <section>
        <h2>And everything else you need...</h2>
-        <a class="feature-block" href="/security" target="_blank">
+        <a class="feature-block" href="/security" target="_blank" rel="noopener noreferrer">
            <h3>ENTERPRISE-GRADE SECURITY</h3>
            <p>
                Zulip is used by some of the most security-conscious
                organizations in the world.
            </p>
        </a>
-        <a class="feature-block" href="/help/search-for-messages" target="_blank">
+        <a class="feature-block" href="/help/search-for-messages" target="_blank" rel="noopener noreferrer">
            <h3>FULL-TEXT FULL-HISTORY SEARCH</h3>
            <p>
                Search is both snappy and smart, helping you look for
@@ -154,31 +154,31 @@
                search operators for fine-grained control.
            </p>
        </a>
-        <a class="feature-block" href="/help/stream-permissions" target="_blank">
+        <a class="feature-block" href="/help/stream-permissions" target="_blank" rel="noopener noreferrer">
            <h3>HISTORY</h3>
            <p>Join a stream and see its history, so even new team
            members are never out of the loop.</p>
        </a>
-        <a class="feature-block" href="/help/star-a-message" target="_blank">
+        <a class="feature-block" href="/help/star-a-message" target="_blank" rel="noopener noreferrer">
            <h3>STARRED MESSAGES</h3>
            <p>Keep a todo list of messages to come back to, or keep
            track of interesting conversations.</p>
        </a>
-        <a class="feature-block" href="/help/analytics" target="_blank">
+        <a class="feature-block" href="/help/analytics" target="_blank" rel="noopener noreferrer">
            <h3>STATISTICS</h3>
            <p>Zulip has a powerful set of analytics available to
            help you see how your organization communicates.</p>
        </a>
-        <a class="feature-block" href="/help/private-messages" target="_blank">
+        <a class="feature-block" href="/help/private-messages" target="_blank" rel="noopener noreferrer">
            <h3>ONE-ON-ONE AND GROUP PRIVATE CONVERSATIONS</h3>
            <p>Lightweight private conversations with one or as many people as you need.</p>
        </a>
-        <a class="feature-block" href="/help/status-and-availability" target="_blank">
+        <a class="feature-block" href="/help/status-and-availability" target="_blank" rel="noopener noreferrer">
            <h3>TEAM AVAILABILITY</h3>
            <p>See who is currently online at a glance.</p>
        </a>
-        <a class="feature-block" href="/help/stream-permissions" target="_blank">
+        <a class="feature-block" href="/help/stream-permissions" target="_blank" rel="noopener noreferrer">
            <h3>PRIVATE STREAMS</h3>
            <p>Enjoy the benefits of threaded conversations while
            controlling your audience and privacy.</p>
@@ -188,7 +188,7 @@
            <p>We're always receiving messages for you, even when
            you're logged out or away from your computer.</p>
        </div>
-        <a class="feature-block" href="/help/edit-or-delete-a-message" target="_blank">
+        <a class="feature-block" href="/help/edit-or-delete-a-message" target="_blank" rel="noopener noreferrer">
            <h3>MESSAGE EDITING</h3>
            <p>Don't worry, you can always fix that typo, either in
            the body of message or its topic.</p>
@@ -197,12 +197,12 @@
            <h3>TYPING NOTIFICATIONS</h3>
            <p>Know when other users are composing messages to you.</p>
        </div>
-        <a class="feature-block" href="/help/view-and-edit-your-message-drafts" target="_blank">
+        <a class="feature-block" href="/help/view-and-edit-your-message-drafts" target="_blank" rel="noopener noreferrer">
            <h3>SAVED DRAFTS</h3>
            <p>Zulip's drafts make it easy to write longer messages
            without worrying about losing your work.</p>
        </a>
-        <a class="feature-block" href="https://zulip.readthedocs.io/en/latest/contributing/accessibility.html" target="_blank">
+        <a class="feature-block" href="https://zulip.readthedocs.io/en/latest/contributing/accessibility.html" target="_blank" rel="noopener noreferrer">
            <h3>ACCESSIBILITY</h3>
            <p>
                Zulip follows best practices for accessibility, and has
@@ -210,22 +210,22 @@
                tools.
            </p>
        </a>
-        <a class="feature-block" href="/help/about-streams-and-topics" target="_blank">
+        <a class="feature-block" href="/help/about-streams-and-topics" target="_blank" rel="noopener noreferrer">
            <h3>CONVERSATIONS THREADED BY TOPIC</h3>
            <p>Participate in several conversations with the same
            group at once, without getting lost or overwhelmed.</p>
        </a>
-        <a class="feature-block" href="/help/reading-strategies" target="_blank">
+        <a class="feature-block" href="/help/reading-strategies" target="_blank" rel="noopener noreferrer">
            <h3>CATCH UP IN NO TIME</h3>
            <p>With topics, hotkeys and snappy performance, usefully
            reviewing hundreds of messages takes just minutes.</p>
        </a>
-        <a class="feature-block" href="/help/change-your-language" target="_blank">
+        <a class="feature-block" href="/help/change-your-language" target="_blank" rel="noopener noreferrer">
            <h3>FULLY INTERNATIONALIZED</h3>
            <p>The Zulip UI is fully internationalized and has been
            translated into over a dozen languages.</p>
        </a>
-        <a class="feature-block" href="/help/configure-authentication-methods" target="_blank">
+        <a class="feature-block" href="/help/configure-authentication-methods" target="_blank" rel="noopener noreferrer">
            <h3>CUSTOMIZABLE LOGIN AND REGISTRATION</h3>
            <p>
                Customize the available authentication methods and
@@ -233,35 +233,35 @@
                organization using Markdown.
            </p>
        </a>
-        <a class="feature-block" href="/help/start-a-call" target="_blank">
+        <a class="feature-block" href="/help/start-a-call" target="_blank" rel="noopener noreferrer">
            <h3>VIDEO CALLS</h3>
            <p>
                Create and join video calls with a single click. Powered
                by your choice of Zoom, Jitsi Meet, or Google Hangouts.
            </p>
        </a>
-        <a class="feature-block" href="/help/configure-authentication-methods" target="_blank">
+        <a class="feature-block" href="/help/configure-authentication-methods" target="_blank" rel="noopener noreferrer">
            <h3>FLEXIBLE AUTHENTICATION</h3>
            <p>
                Supported authentication providers include LDAP, SAML,
                Google, GitHub, and more.
            </p>
        </a>
-        <a class="feature-block" href="/help/import-from-slack" target="_blank">
+        <a class="feature-block" href="/help/import-from-slack" target="_blank" rel="noopener noreferrer">
            <h3>DATA IMPORT</h3>
            <p>
                Import an existing Slack, Mattermost, HipChat, Stride,
                or Gitter workspace into Zulip.
            </p>
        </a>
-        <a class="feature-block" href="/help/add-custom-profile-fields" target="_blank">
+        <a class="feature-block" href="/help/add-custom-profile-fields" target="_blank" rel="noopener noreferrer">
            <h3>CUSTOM PROFILE FIELDS</h3>
            <p>
                Use Zulip to store directory information, links to social
                media profiles, food preferences, or anything else.
            </p>
        </a>
-        <a class="feature-block" href="/help/roles-and-permissions" target="_blank">
+        <a class="feature-block" href="/help/roles-and-permissions" target="_blank" rel="noopener noreferrer">
            <h3>GUESTS</h3>
            <p>
                Guests cannot see or join streams unless they are explicitly
@@ -269,33 +269,33 @@
                contractors.
            </p>
        </a>
-        <a class="feature-block" href="/help/create-your-organization-profile" target="_blank">
+        <a class="feature-block" href="/help/create-your-organization-profile" target="_blank" rel="noopener noreferrer">
            <h3>CUSTOM BRANDING</h3>
            <p>
                Use your logo instead of Zulip's in the desktop and webapp.
            </p>
        </a>
-        <a class="feature-block" href="/integrations/communication" target="_blank">
+        <a class="feature-block" href="/integrations/communication" target="_blank" rel="noopener noreferrer">
            <h3>INTEGRATE WITH IRC, MATRIX, OR SLACK</h3>
            <p>
                Two way integrations with IRC and Matrix, and one way
                integration with Slack.
            </p>
        </a>
-        <a class="feature-block" href="/help/moderating-open-organizations" target="_blank">
+        <a class="feature-block" href="/help/moderating-open-organizations" target="_blank" rel="noopener noreferrer">
            <h3>MODERATION</h3>
            <p>
                A full suite of tools for moderating open communities.
            </p>
        </a>
-        <a class="feature-block" href="/help/export-your-organization" target="_blank">
+        <a class="feature-block" href="/help/export-your-organization" target="_blank" rel="noopener noreferrer">
            <h3>DATA EXPORTS</h3>
            <p>
                No vendor lock-in. Export your hosted Zulip to an
                on-premises installation at any time.
            </p>
        </a>
-        <a class="feature-block" href="https://github.com/zulip/zulip/" target="_blank">
+        <a class="feature-block" href="https://github.com/zulip/zulip/" target="_blank" rel="noopener noreferrer">
            <h3>YOUR FEATURE HERE</h3>
            <p>Zulip is open source, so if something important for
            your use case is missing, you can make it happen!</p>
--- a/templates/zerver/insecure_desktop_app.html
+++ b/templates/zerver/insecure_desktop_app.html
@@ -26,7 +26,7 @@
                    {% endif %}
                    <p>
-                        <a href="https://zulipchat.com/apps" target="_blank">
+                        <a href="https://zulipchat.com/apps" target="_blank" rel="noopener noreferrer">
                            {{ _("Download the latest release.") }}
                        </a>
                    </p>
--- a/templates/zerver/plans.html
+++ b/templates/zerver/plans.html
@@ -150,7 +150,7 @@
                                    <div class="pricing-details">
                                        Pricing varies with support required
                                    </div>
-                                    <a href="mailto:sales@zulipchat.com" target="_blank" class="no-action button green">
+                                    <a href="mailto:sales@zulipchat.com" target="_blank" rel="noopener noreferrer" class="no-action button green">
                                        Contact sales
                                    </a>
                                </div>
--- a/templates/zerver/realm_redirect.html
+++ b/templates/zerver/realm_redirect.html
@@ -32,7 +32,7 @@
                        <button id="enter-realm-button" type="submit">{{ _('Next') }}</button>
                        <p class="bottom-text">
                            {{ _("Don't know your organization URL?") }}
-                            <a target="_blank" href="/accounts/find/">{{ _("Find your organization.") }}</a>
+                            <a target="_blank" rel="noopener noreferrer" href="/accounts/find/">{{ _("Find your organization.") }}</a>
                        </p>
                    </div>
                </form>
@@ -40,7 +40,7 @@
        </div>
        <div class="bottom-text">
-            {{ _("Need to get your group started on Zulip?") }} <a target="_blank" href="/new/">{{ _("Create a new organization.") }}</a>
+            {{ _("Need to get your group started on Zulip?") }} <a target="_blank" rel="noopener noreferrer" href="/new/">{{ _("Create a new organization.") }}</a>
        </div>
    </div>
--- a/templates/zerver/register.html
+++ b/templates/zerver/register.html
@@ -217,7 +217,7 @@ Form is validated both client-side using jquery-validate (see signup.js) and ser
                        <input id="id_terms" class="required" type="checkbox" name="terms"
                          {% if form.terms.value() %}checked="checked"{% endif %} />
                        <span></span>
-                        {% trans %}I agree to the <a href="{{ root_domain_uri }}/terms" target="_blank">Terms of Service</a>.{% endtrans %}
+                        {% trans %}I agree to the <a href="{{ root_domain_uri }}/terms" target="_blank" rel="noopener noreferrer">Terms of Service</a>.{% endtrans %}
                    </label>
                    {% if form.terms.errors %}
                        {% for error in form.terms.errors %}
--- a/templates/zerver/team.html
+++ b/templates/zerver/team.html
@@ -123,7 +123,7 @@
                <!-- Compiled using underscore -->
                <script type="text/template" id="contributors-template">
                    <div class="person">
-                        <a href="https://github.com/<%= name %>" target="_blank" class="no-underline">
+                        <a href="https://github.com/<%= name %>" target="_blank" rel="noopener noreferrer" class="no-underline">
                            <div class="avatar">
                                <img class="avatar_img" src="<%= avatar %>" alt="{{ _('Avatar') }}" />
                            </div>