Important security consideration for using target="_blank"

[stackola]

Using target="_blank" on hyperlinks without using rel="noopener" is a problem, because the opened page can access and modify some properties on the opening page.

You can find out more information here:

https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

Proposed fix

Automatically add rel="noopener noreferrer" to all links that are targeting _blank, or make rel user-accessible like target

[fdidron]

Hello, I created PR #418 for this, I went with adding a linkRel prop instead of automagically adding rel="noopener noreferrer".

Needed this for https://configure.ergodox-ez.com/ :)

[fdidron]

Doh there was already an opened PR #350

[ChristianMurphy]

This can also be added through a plugin using https://github.com/remarkjs/remark-external-links

[wchargin]

Also in the same boat; I actually tried the workaround suggested by
@ChristianMurphy, but wasn’t able to get it to work (found this thread
by searching for remark-external-links). Cf. #188.

[tomchen]

Very important security fix, hope either #350 or #418 can be merged very soon.

Actually when linkTarget is set to _blank, linkRel should default to noopener noreferrer instead of the initial default undefined, although it would complicate the settings a little bit.

[wooorm]

The suggested solution is the plugin mentioned above; there will be a release soon which fixes support for plugins