security: Adds rel="noopener" to all target="_blank" (#494)

* security: Adds rel="noopener" to all target="_blank"

* feature: Adds additonal rel="noopener"

Co-authored-by: Peter Kos <[email protected]>

Author: cbaudouinjr

app/views/application/_questionnaire_summary.html.haml

@@ -7,10 +7,10 @@
   = Questionnaire::POSSIBLE_EXPERIENCES[@questionnaire.experience]
 %p
   %b Portfolio link:
-  = @questionnaire.portfolio_url? ? link_to(@questionnaire.portfolio_url, @questionnaire.portfolio_url, target: '_blank') : 'Not provided'
+  = @questionnaire.portfolio_url? ? link_to(@questionnaire.portfolio_url, @questionnaire.portfolio_url, target: '_blank', rel: 'noopener') : 'Not provided'
 %p
   %b GitHub/GitLab/Bitbucket link:
-  = @questionnaire.vcs_url? ? link_to(@questionnaire.vcs_url, @questionnaire.vcs_url, target: '_blank') : 'Not provided'
+  = @questionnaire.vcs_url? ? link_to(@questionnaire.vcs_url, @questionnaire.vcs_url, target: '_blank', rel: 'noopener') : 'Not provided'
 %p
   %b Resume:
   = @questionnaire.resume.attached? ? link_to("Download »".html_safe, @questionnaire.resume) : 'Not provided'

app/views/layouts/manage/application.html.haml

@@ -124,14 +124,14 @@
                     .nav-item-description
                       = t(:doorkeeper, scope: 'layouts.manage.navigation.descriptors')
                 %li.nav-item
-                  = active_link_to sidekiq_web_path, target: '_blank', class: "nav-link" do
+                  = active_link_to sidekiq_web_path, target: '_blank', rel: "noopener", class: "nav-link" do
                     .fa.fa-tasks.fa-fw.icon-space-r-half
                     = t(:title, scope: 'pages.manage.sidekiq')
                     %span.fa.fa-external-link.icon-space-l-half
                     .nav-item-description
                       = t(:sidekiq, scope: 'layouts.manage.navigation.descriptors')
                 %li.nav-item
-                  = active_link_to blazer_path, target: '_blank', class: "nav-link" do
+                  = active_link_to blazer_path, target: '_blank', rel: "noopener", class: "nav-link" do
                     .fa.fa-terminal.fa-fw.icon-space-r-half
                     = t(:title, scope: 'pages.manage.blazer')
                     %span.fa.fa-external-link.icon-space-l-half

app/views/manage/messages/_templating.haml

@@ -2,7 +2,7 @@
 
 %p
   Message bodies can make use of template variables to help personalize and streamline emails.
-  Templating is powered by <a target="_blank" href="https://mustache.github.io/mustache.5.html">mustache</a>.
+  Templating is powered by <a target="_blank" rel="noopener" href="https://mustache.github.io/mustache.5.html">mustache</a>.
 
 %table.table.table-striped
   %thead

app/views/manage/messages/template.haml

@@ -22,7 +22,7 @@
     .form-inputs
       %h5.mb-3 Customize template
       %p.text-secondary Must save to update preview. CSS will be converted to inline styles when messages are sent.
-      %p.text-secondary Be sure to test with as many email providers as possible! <a href="https://putsmail.com" target="blank">Litmus PutsMail</a> is one great resource.
+      %p.text-secondary Be sure to test with as many email providers as possible! <a href="https://putsmail.com" target="_blank" rel="noopener">Litmus PutsMail</a> is one great resource.
       = f.input :html, input_html: { 'data-code-mirror-textarea' => '1' }, label: false, wrapper: :bootstrap_inline_form
 
     .form-actions.mt-3.mb-3

app/views/manage/questionnaires/_overview.html.haml

@@ -86,10 +86,10 @@
             = Questionnaire::POSSIBLE_EXPERIENCES[@questionnaire.experience]
           %dt.col-md-4 Portfolio
           %dd.col-md-8
-            = @questionnaire.portfolio_url? ? link_to(@questionnaire.portfolio_url, @questionnaire.portfolio_url, target: '_blank') : not_provided
+            = @questionnaire.portfolio_url? ? link_to(@questionnaire.portfolio_url, @questionnaire.portfolio_url, target: '_blank', rel: 'noopener') : not_provided
           %dt.col-md-4 GitHub/GitLab/Bitbucket
           %dd.col-md-8
-            = @questionnaire.vcs_url? ? link_to(@questionnaire.vcs_url, @questionnaire.vcs_url, target: '_blank') : not_provided
+            = @questionnaire.vcs_url? ? link_to(@questionnaire.vcs_url, @questionnaire.vcs_url, target: '_blank', rel: 'noopener') : not_provided
           %dt.col-md-4 Resume
           %dd.col-md-8
             = @questionnaire.resume.attached? ? link_to("Download »".html_safe, @questionnaire.resume) : not_provided

app/views/manage/schools/show.html.haml

@@ -25,7 +25,7 @@
         = @school.name
         %br
         %small
-          = link_to google_maps_link(@school.name), target: '_blank' do
+          = link_to google_maps_link(@school.name), target: '_blank', rel: 'noopener' do
             Search in Google Maps
             %span.fa.fa-external-link.icon-space-l-half
       %dt.col-md-4 Address
@@ -37,7 +37,7 @@
         %br
         %small
           - link = google_maps_link(@school.address, @school.city, @school.state)
-          = link_to link, target: '_blank' do
+          = link_to link, target: '_blank', rel: 'noopener' do
             Search in Google Maps
             %span.fa.fa-external-link.icon-space-l-half
       %dt.col-md-4 Home school

db/seed_messages/questionnaire--accepted.md

@@ -3,8 +3,8 @@
 You have been accepted to attend {{hackathon_name}}! **Please RSVP:**
 
 <p>
-  <a href="{{accept_rsvp_url}}" class="button" target="_blank">Yes, I will Attend &raquo;</a>
-  <a href="{{deny_rsvp_url}}" class="button" target="_blank">No, I Can't Attend &raquo;</a>
+  <a href="{{accept_rsvp_url}}" class="button" target="_blank" rel="noopener">Yes, I will Attend &raquo;</a>
+  <a href="{{deny_rsvp_url}}" class="button" target="_blank" rel="noopener">No, I Can't Attend &raquo;</a>
   <br>
-  <small><i>Link not working? Go to <a href="{{rsvp_url}}">{{rsvp_url}}</a></i></small>
+  <small><i>Link not working? Go to <a href="{{rsvp_url}}" target="_blank" rel="noopener">{{rsvp_url}}</a></i></small>
 </p>

db/seed_messages/questionnaire--denied.md

@@ -2,7 +2,7 @@
 
 It is with our sincerest regret to inform you that our admissions committee has chosen to not accept your application to {{hackathon_name}} at this time. We were overjoyed with the number of applicants we received, but unfortunately we can not accept everyone.
 
-We invite you to apply again next year. There are plenty of other hackathons this season, and it may not be too late to apply for those. Checkout <a href="https://mlh.io" target="_blank">https://mlh.io</a> to find out more information.
+We invite you to apply again next year. There are plenty of other hackathons this season, and it may not be too late to apply for those. Checkout <a href="https://mlh.io" target="_blank" rel="noopener">https://mlh.io</a> to find out more information.
 
 Thank you for applying,<br>
  - The {{hackathon_name}} Team

db/seed_messages/questionnaire--rsvp_reminder.md

@@ -4,9 +4,9 @@
   <h1>Are you coming to {{hackathon_name}}?</h1>
   <h3>Let us know if we should expect you there!</h3>
   <p>
-    <a href="{{accept_rsvp_url}}" class="button" target="_blank">Yes, I will Attend &raquo;</a>
-    <a href="{{deny_rsvp_url}}" class="button" target="_blank">No, I Can't Attend &raquo;</a>
+    <a href="{{accept_rsvp_url}}" class="button" target="_blank" rel="noopener">Yes, I will Attend &raquo;</a>
+    <a href="{{deny_rsvp_url}}" class="button" target="_blank" rel="noopener">No, I Can't Attend &raquo;</a>
     <br>
-    <small><i>Link not working? Go to <a href="{{rsvp_url}}">{{rsvp_url}}</a></i></small>
+    <small><i>Link not working? Go to <a href="{{rsvp_url}}" target="_blank" rel="noopener">{{rsvp_url}}</a></i></small>
   </p>
 </div>

website/core/Footer.js

@@ -46,7 +46,7 @@ class Footer extends React.Component {
           <div />
           <div>
             <h5>More</h5>
-            <a href={this.props.config.repoUrl} target="_blank">
+            <a href={this.props.config.repoUrl} target="_blank" rel="noopener">
               GitHub Repo
             </a>
             <a