Use rel="noopener" with target="_blank". (#682)

Required reading: https://mathiasbynens.github.io/rel-noopener/

src/pretix/base/payment.py

@@ -176,7 +176,7 @@ class BasePaymentProvider:
              forms.BooleanField(
                  label=_('Calculate the fee from the total value including the fee.'),
                  help_text=_('We recommend to enable this if you want your users to pay the payment fees of your '
-                             'payment provider. <a href="{docs_url}" target="_blank">Click here '
+                             'payment provider. <a href="{docs_url}" target="_blank" rel="noopener">Click here '
                              'for detailed information on what this does.</a> Don\'t forget to set the correct fees '
                              'above!').format(docs_url='https://docs.pretix.eu/en/latest/user/payments/fees.html'),
                  required=False

src/pretix/base/templatetags/rich_text.py

@@ -61,12 +61,14 @@ def safelink_callback(attrs, new=False):
         signer = signing.Signer(salt='safe-redirect')
         attrs[None, 'href'] = reverse('redirect') + '?url=' + urllib.parse.quote(signer.sign(url))
         attrs[None, 'target'] = '_blank'
+        attrs[None, 'rel'] = 'noopener'
     return attrs
 
 
 def abslink_callback(attrs, new=False):
     attrs[None, 'href'] = urllib.parse.urljoin(settings.SITE_URL, attrs.get((None, 'href'), '/'))
     attrs[None, 'target'] = '_blank'
+    attrs[None, 'rel'] = 'noopener'
     return attrs
 
 

src/pretix/control/templates/pretixcontrol/event/widget.html

@@ -35,7 +35,7 @@
 <noscript>
    <div class="pretix-widget">
         <div class="pretix-widget-info-message">
-            {% blocktrans trimmed with a_attr='target="_blank" href="'|add:indexurl|add:'"'|safe %}
+            {% blocktrans trimmed with a_attr='target="_blank" rel="noopener" href="'|add:indexurl|add:'"'|safe %}
                 JavaScript is disabled in your browser. To access our ticket shop without JavaScript,
                 please <a {{ a_attr }}>click here</a>.
             {% endblocktrans %}
@@ -44,7 +44,7 @@
 </noscript>
 </pre>
         <p>
-            <a href="https://docs.pretix.eu/en/latest/user/events/widget.html" target="_blank">
+            <a href="https://docs.pretix.eu/en/latest/user/events/widget.html" target="_blank" rel="noopener">
                 <span class="fa fa-question-circle"></span>
                 {% trans "Read our documentation for more information" %}
             </a>

src/pretix/plugins/paypal/payment.py

@@ -55,7 +55,7 @@ class Paypal(BasePaymentProvider):
                 ('client_id',
                  forms.CharField(
                      label=_('Client ID'),
-                     help_text=_('<a target="_blank" href="{docs_url}">{text}</a>').format(
+                     help_text=_('<a target="_blank" rel="noopener" href="{docs_url}">{text}</a>').format(
                          text=_('Click here for a tutorial on how to obtain the required keys'),
                          docs_url='https://docs.pretix.eu/en/latest/user/payments/paypal.html'
                      )

src/pretix/plugins/stripe/payment.py

@@ -76,7 +76,7 @@ class StripeSettingsHolder(BasePaymentProvider):
                 ('secret_key',
                  forms.CharField(
                      label=_('Secret key'),
-                     help_text=_('<a target="_blank" href="{docs_url}">{text}</a>').format(
+                     help_text=_('<a target="_blank" rel="noopener" href="{docs_url}">{text}</a>').format(
                          text=_('Click here for a tutorial on how to obtain the required keys'),
                          docs_url='https://docs.pretix.eu/en/latest/user/payments/stripe.html'
                      ),

src/pretix/presale/templates/pretixpresale/base.html

@@ -51,7 +51,7 @@
         ·
     {% endif %}
     {% for f in footer %}
-        <a href="{% safelink f.url %}" target="_blank">{{ f.label }}</a>
+        <a href="{% safelink f.url %}" target="_blank" rel="noopener">{{ f.label }}</a>
         &middot;
     {% endfor %}
     {% include "pretixpresale/base_footer.html" %}

src/pretix/presale/templates/pretixpresale/base_footer.html

@@ -1,7 +1,7 @@
 {% load i18n %}
 {% load safelink %}
 {% safelink "https://pretix.eu" as pretixurl %}
-{% with 'target="_blank" href="'|add:pretixurl|add:'"'|safe as a_attr %}
+{% with 'target="_blank" rel="noopener" href="'|add:pretixurl|add:'"'|safe as a_attr %}
     {% blocktrans trimmed %}
         powered by <a {{ a_attr }}>pretix</a>
     {% endblocktrans %}

src/pretix/presale/templates/pretixpresale/event/base.html

@@ -66,7 +66,7 @@
         <a href="mailto:{{ request.event.settings.contact_mail }}">{% trans "Contact event organizer" %}</a> &middot;
     {% endif %}
     {% if request.event.settings.imprint_url %}
-        <a href="{% safelink request.event.settings.imprint_url %}" target="_blank">{% trans "Imprint" %}</a>
+        <a href="{% safelink request.event.settings.imprint_url %}" target="_blank" rel="noopener">{% trans "Imprint" %}</a>
         &middot;
     {% endif %}
 {% endblock %}

src/pretix/static/pretixpresale/js/widget/widget.js

@@ -23,7 +23,7 @@ var strings = {
     'cart_exists': django.pgettext('widget', 'You currently have an active cart for this event. If you select more' +
         ' products, they will be added to your existing cart. Click on this message to continue checkout with your' +
         ' cart.'),
-    'poweredby': django.pgettext('widget', 'ticketing powered by <a href="https://pretix.eu" target="_blank">pretix</a>'),
+    'poweredby': django.pgettext('widget', 'ticketing powered by <a href="https://pretix.eu" target="_blank" rel="noopener">pretix</a>'),
     'redeem_voucher': django.pgettext('widget', 'Redeem a voucher'),
     'redeem': django.pgettext('widget', 'Redeem'),
     'voucher_code': django.pgettext('widget', 'Voucher code'),