Use rel="noopener" with target="_blank". (#682)

Required reading: https://mathiasbynens.github.io/rel-noopener/
2017-11-13 18:52:15 +01:00
parent 01585877d7
commit e7f38abd77
9 changed files with 11 additions and 9 deletions
--- a/src/pretix/base/payment.py
+++ b/src/pretix/base/payment.py
@@ -176,7 +176,7 @@ class BasePaymentProvider:
             forms.BooleanField(
                 label=_('Calculate the fee from the total value including the fee.'),
                 help_text=_('We recommend to enable this if you want your users to pay the payment fees of your '
-                             'payment provider. <a href="{docs_url}" target="_blank">Click here '
+                             'payment provider. <a href="{docs_url}" target="_blank" rel="noopener">Click here '
                             'for detailed information on what this does.</a> Don\'t forget to set the correct fees '
                             'above!').format(docs_url='https://docs.pretix.eu/en/latest/user/payments/fees.html'),
                 required=False
--- a/src/pretix/base/templatetags/rich_text.py
+++ b/src/pretix/base/templatetags/rich_text.py
@@ -61,12 +61,14 @@ def safelink_callback(attrs, new=False):
        signer = signing.Signer(salt='safe-redirect')
        attrs[None, 'href'] = reverse('redirect') + '?url=' + urllib.parse.quote(signer.sign(url))
        attrs[None, 'target'] = '_blank'
+        attrs[None, 'rel'] = 'noopener'
    return attrs


 def abslink_callback(attrs, new=False):
    attrs[None, 'href'] = urllib.parse.urljoin(settings.SITE_URL, attrs.get((None, 'href'), '/'))
    attrs[None, 'target'] = '_blank'
+    attrs[None, 'rel'] = 'noopener'
    return attrs