CVE-2020-14194: Use noopener/noreferrer for external links.

We fixed the main issue of this form in CVE-2020-9444, but the audit done at that time only included links found in rendered_markdown; this change completes our audit for links with target=_blank anywhere in the codebase.
2025-11-02 13:03:29 +00:00 · 2020-05-25 20:15:21 -07:00
parent 9f4905d7e3
commit a2767e8c50
36 changed files with 92 additions and 85 deletions
--- a/templates/zerver/config_error.html
+++ b/templates/zerver/config_error.html
@@ -37,7 +37,7 @@
                        {% else %}
                        <p>
                            Please have a look at our
-                            <a target="_blank" href="https://zulip.readthedocs.io/en/latest/subsystems/email.html#development-and-testing">
+                            <a target="_blank" rel="noopener noreferrer" href="https://zulip.readthedocs.io/en/latest/subsystems/email.html#development-and-testing">
                            setup guide</a> for forwarding emails sent in development
                            environment to an email account.
                        </p>