Add `rel="noopener noreferrer"` to target blank links

CHANGELOG.txt

@@ -6,6 +6,7 @@ Changelog
 
  * Added support for Python 3.7 (Matt Westcott)
  * Fix: Query objects returned from `PageQuerySet.type_q` can now be merged with `|` (Brady Moe)
+ * Fix: Add `rel="noopener noreferrer"` to target blank links (Anselm Bradford)
 
 
 2.3 LTS (23.10.2018)

client/src/components/Button/Button.test.js

@@ -25,7 +25,7 @@ describe('Button', () => {
   });
 
   it('#target', () => {
-    expect(shallow(<Button target="_blank" />)).toMatchSnapshot();
+    expect(shallow(<Button target="_blank" rel="noopener noreferrer" />)).toMatchSnapshot();
   });
 
   it('#multiple icons', () => {

docs/releases/2.4.rst

@@ -21,6 +21,7 @@ Bug fixes
 ~~~~~~~~~
 
  * Query objects returned from ``PageQuerySet.type_q`` can now be merged with ``|`` (Brady Moe)
+ * Add `rel="noopener noreferrer"` to target blank links (Anselm Bradford)
 
 
 Upgrade considerations

wagtail/admin/templates/wagtailadmin/home/pages_for_moderation.html

@@ -40,7 +40,7 @@
                                         </form>
                                     </li>
                                     <li><a href="{% url 'wagtailadmin_pages:edit' revision.page.id %}" class="button button-small button-secondary">{% trans 'Edit' %}</a></li>
-                                    <li><a href="{% url 'wagtailadmin_pages:preview_for_moderation' revision.id %}" class="button button-small button-secondary" target="_blank">{% trans 'Preview' %}</a></li>
+                                    <li><a href="{% url 'wagtailadmin_pages:preview_for_moderation' revision.id %}" class="button button-small button-secondary" target="_blank" rel="noopener noreferrer">{% trans 'Preview' %}</a></li>
                                 </ul>
                             </td>
                             <td valign="top">

wagtail/admin/templates/wagtailadmin/home/recent_edits.html

@@ -27,10 +27,10 @@
                                 <ul class="actions">
                                     <li><a href="{% url 'wagtailadmin_pages:edit' page.id %}" class="button button-small button-secondary">{% trans "Edit" %}</a></li>
                                     {% if page.has_unpublished_changes %}
-                                        <li><a href="{% url 'wagtailadmin_pages:view_draft' page.id %}" class="button button-small button-secondary" target="_blank">{% trans 'Draft' %}</a></li>
+                                        <li><a href="{% url 'wagtailadmin_pages:view_draft' page.id %}" class="button button-small button-secondary" target="_blank" rel="noopener noreferrer">{% trans 'Draft' %}</a></li>
                                     {% endif %}
                                     {% if page.live %}
-                                        <li><a href="{{ page.url }}" class="button button-small button-secondary" target="_blank">{% trans 'Live' %}</a></li>
+                                        <li><a href="{{ page.url }}" class="button button-small button-secondary" target="_blank" rel="noopener noreferrer">{% trans 'Live' %}</a></li>
                                     {% endif %}
                                 </ul>
                             </td>

wagtail/admin/templates/wagtailadmin/pages/revisions/list.html

@@ -26,7 +26,7 @@
                         </h2>
 
                         <ul class="actions">
-                            <li><a href="{% url 'wagtailadmin_pages:revisions_view' page.id revision.id %}" class="button button-small button-secondary" target="_blank">{% trans 'Preview' %}</a></li>
+                            <li><a href="{% url 'wagtailadmin_pages:revisions_view' page.id revision.id %}" class="button button-small button-secondary" target="_blank" rel="noopener noreferrer">{% trans 'Preview' %}</a></li>
                             {% if revision == page.get_latest_revision %}
                                 <li><a href="{% url 'wagtailadmin_pages:edit' page.id %}" class="button button-small button-secondary">{% trans 'Edit' %}</a></li>
                             {% else %}

wagtail/admin/templates/wagtailadmin/shared/messages.html

@@ -3,7 +3,7 @@
 {% if buttons %}
     <span class="buttons">
         {% for button in buttons %}
-            <a href="{{ button.0 }}" class="button button-small button-secondary"{% if button.2 %} target="_blank"{% endif %}>{{ button.1 }}</a>
+            <a href="{{ button.0 }}" class="button button-small button-secondary"{% if button.2 %} target="_blank" rel="noopener noreferrer"{% endif %}>{{ button.1 }}</a>
         {% endfor %}
     </span>
 {% endif %}

wagtail/admin/templates/wagtailadmin/shared/page_status_tag.html

@@ -1,5 +1,5 @@
 {% if page.live %}
-    <a href="{{ page.url }}" target="_blank" class="status-tag primary">{{ page.status_string }}</a>
+    <a href="{{ page.url }}" target="_blank" rel="noopener noreferrer" class="status-tag primary">{{ page.status_string }}</a>
 {% else %}
     <span class="status-tag">{{ page.status_string }}</span>
 {% endif %}

wagtail/admin/templates/wagtailadmin/skeleton.html

@@ -23,7 +23,7 @@
     <noscript class="capabilitymessage">
         {% blocktrans %}
             Javascript is required to use Wagtail, but it is currently disabled.<br />
-            Here are the <a href="http://www.enable-javascript.com/" target="_blank" rel="noopener">instructions how to enable JavaScript in your web browser</a>.
+            Here are the <a href="http://www.enable-javascript.com/" target="_blank" rel="noopener noreferrer">instructions how to enable JavaScript in your web browser</a>.
         {% endblocktrans %}
     </noscript>
 

wagtail/admin/templates/wagtailadmin/widgets/chooser.html

@@ -17,7 +17,7 @@
             {% endif %}
             <li><button type="button" class="button action-choose button-small button-secondary">{{ widget.choose_another_text }}</button></li>
             {% if widget.show_edit_link %}
-                <li><a href="{% block edit_chosen_item_url %}#{% endblock %}" class="edit-link button button-small button-secondary" target="_blank">{{ widget.link_to_chosen_text }}</a></li>
+                <li><a href="{% block edit_chosen_item_url %}#{% endblock %}" class="edit-link button button-small button-secondary" target="_blank" rel="noopener noreferrer">{{ widget.link_to_chosen_text }}</a></li>
             {% endif %}
         </ul>
     </div>

wagtail/admin/tests/test_buttons_hooks.py

@@ -59,7 +59,7 @@ class TestButtonsHooks(TestCase, WagtailTestUtils):
                 page=page,
                 page_perms=page_perms,
                 is_parent=is_parent,
-                attrs={'target': '_blank'},
+                attrs={'target': '_blank', 'rel': 'noopener noreferrer'},
                 priority=50
             )
 

wagtail/admin/tests/test_edit_handlers.py

@@ -674,7 +674,7 @@ class TestPageChooserPanel(TestCase):
         self.assertIn('<p class="help">help text</p>', result)
         self.assertIn('<span class="title">Christmas</span>', result)
         self.assertIn(
-            '<a href="/admin/pages/%d/edit/" class="edit-link button button-small button-secondary" target="_blank">'
+            '<a href="/admin/pages/%d/edit/" class="edit-link button button-small button-secondary" target="_blank" rel="noopener noreferrer">'
             'Edit this page</a>' % self.christmas_page.id,
             result)
 

wagtail/admin/tests/test_pages_views.py

@@ -1912,8 +1912,8 @@ class TestPageEdit(TestCase, WagtailTestUtils):
 
         response = self.client.get(reverse('wagtailadmin_pages:edit', args=(self.child_page.id, )))
 
-        link_to_draft = '<a href="/revised-slug-in-draft-only/" target="_blank" class="status-tag primary">live + draft</a>'
-        link_to_live = '<a href="/hello-world/" target="_blank" class="status-tag primary">live + draft</a>'
+        link_to_draft = '<a href="/revised-slug-in-draft-only/" target="_blank" rel="noopener noreferrer" class="status-tag primary">live + draft</a>'
+        link_to_live = '<a href="/hello-world/" target="_blank" rel="noopener noreferrer" class="status-tag primary">live + draft</a>'
         input_field_for_draft_slug = '<input type="text" name="slug" value="revised-slug-in-draft-only" id="id_slug" maxlength="255" required />'
         input_field_for_live_slug = '<input type="text" name="slug" value="hello-world" id="id_slug" maxlength="255" required />'
 
@@ -1935,8 +1935,8 @@ class TestPageEdit(TestCase, WagtailTestUtils):
 
         response = self.client.get(reverse('wagtailadmin_pages:edit', args=(self.single_event_page.id, )))
 
-        link_to_draft = '<a href="/revised-slug-in-draft-only/pointless-suffix/" target="_blank" class="status-tag primary">live + draft</a>'
-        link_to_live = '<a href="/mars-landing/pointless-suffix/" target="_blank" class="status-tag primary">live + draft</a>'
+        link_to_draft = '<a href="/revised-slug-in-draft-only/pointless-suffix/" target="_blank" rel="noopener noreferrer" class="status-tag primary">live + draft</a>'
+        link_to_live = '<a href="/mars-landing/pointless-suffix/" target="_blank" rel="noopener noreferrer" class="status-tag primary">live + draft</a>'
         input_field_for_draft_slug = '<input type="text" name="slug" value="revised-slug-in-draft-only" id="id_slug" maxlength="255" required />'
         input_field_for_live_slug = '<input type="text" name="slug" value="mars-landing" id="id_slug" maxlength="255" required />'
 

wagtail/admin/wagtail_hooks.py

@@ -110,14 +110,14 @@ def page_listing_buttons(page, page_perms, is_parent=False):
         yield PageListingButton(
             _('View draft'),
             reverse('wagtailadmin_pages:view_draft', args=[page.id]),
-            attrs={'title': _("Preview draft version of '{title}'").format(title=page.get_admin_display_title()), 'target': '_blank'},
+            attrs={'title': _("Preview draft version of '{title}'").format(title=page.get_admin_display_title()), 'target': '_blank', 'rel': 'noopener noreferrer'},
             priority=20
         )
     if page.live and page.url:
         yield PageListingButton(
             _('View live'),
             page.url,
-            attrs={'target': "_blank", 'title': _("View live version of '{title}'").format(title=page.get_admin_display_title())},
+            attrs={'target': "_blank", 'rel': 'noopener noreferrer', 'title': _("View live version of '{title}'").format(title=page.get_admin_display_title())},
             priority=30
         )
     if page_perms.can_add_subpage():
@@ -143,7 +143,7 @@ def page_listing_buttons(page, page_perms, is_parent=False):
         page=page,
         page_perms=page_perms,
         is_parent=is_parent,
-        attrs={'target': '_blank', 'title': _("View more options for '{title}'").format(title=page.get_admin_display_title())},
+        attrs={'target': '_blank', 'rel': 'noopener noreferrer', 'title': _("View more options for '{title}'").format(title=page.get_admin_display_title())},
         priority=50
     )
 

wagtail/snippets/templates/wagtailsnippets/chooser/results.html

@@ -18,6 +18,6 @@
          <p>{% blocktrans %}Sorry, no snippets match "<em>{{ query_string }}</em>"{% endblocktrans %}</p>
     {% else %}
         {% url 'wagtailsnippets:add' model_opts.app_label model_opts.model_name as wagtailsnippets_create_snippet_url %}
-        <p>{% blocktrans with snippet_type_name=model_opts.verbose_name %}You haven't created any {{ snippet_type_name }} snippets. Why not <a href="{{ wagtailsnippets_create_snippet_url }}" target="_blank">create one now</a>?{% endblocktrans %}</p>
+        <p>{% blocktrans with snippet_type_name=model_opts.verbose_name %}You haven't created any {{ snippet_type_name }} snippets. Why not <a href="{{ wagtailsnippets_create_snippet_url }}" target="_blank" rel="noopener noreferrer">create one now</a>?{% endblocktrans %}</p>
     {% endif %}
 {% endif %}