Merge pull request #251 from ckeditor/i/5746

Fix: Link preview in the balloon should have `rel="noopener noreferrer"` set for security reasons. Closes ckeditor/ckeditor5#5746.
ckeditor · Nov 18, 2019 · 5b921b4 · 5b921b4
2 parents f75bf00 + 5c46297
commit 5b921b4
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/src/ui/linkactionsview.js b/src/ui/linkactionsview.js
@@ -209,7 +209,8 @@ export default class LinkActionsView extends View {
 					'ck-link-actions__preview'
 				],
 				href: bind.to( 'href', href => href && ensureSafeUrl( href ) ),
-				target: '_blank'
+				target: '_blank',
+				rel: 'noopener noreferrer'
 			}
 		} );
 

diff --git a/tests/ui/linkactionsview.js b/tests/ui/linkactionsview.js
@@ -84,10 +84,14 @@ describe( 'LinkActionsView', () => {
 				expect( view.previewButtonView.element.classList.contains( 'ck-link-actions__preview' ) ).to.be.true;
 			} );
 
-			it( 'has a target attribute', () => {
+			it( 'has a "target" attribute', () => {
 				expect( view.previewButtonView.element.getAttribute( 'target' ) ).to.equal( '_blank' );
 			} );
 
+			it( 'has a "rel" attribute', () => {
+				expect( view.previewButtonView.element.getAttribute( 'rel' ) ).to.equal( 'noopener noreferrer' );
+			} );
+
 			describe( '<a> bindings', () => {
 				it( 'binds href DOM attribute to view#href', () => {
 					expect( view.previewButtonView.element.getAttribute( 'href' ) ).to.be.null;