Add rel=”noopener” to target="_blank" links to appease CodeQL.

[martinemde]

In #4462, CodeQL is making noise about target="_blank" links without rel="noopener". I added it here to quiet CodeQL in future PRs. I doubt that any self respecting client is actually breaking this rule, but might as well.

It has also been suggested, and we do this in a few places, to add noreferrer as in rel="noopener noreferrer". I don't think it's necessary as long as CodeQL is fine with it.

For email, I suggest that we remove the target attribute entirely and allow the email client to do its thing.

What do you think? Should we...

1. Remove target="_blank" from emails and let the client do it's thing.
2. Leave it and add the rel="noopener" so CodeQL will work.

[martinemde]

CodeQL explicitly says "or" but it's requiring "and".

HTML links that open in a new tab or window allow the target page to access the DOM of the origin page using window.opener unless link type noopener or noreferrer is specified. This is a potential security risk.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (89b2171) 97.13% compared to head (195f0bc) 97.13%.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #4463   +/-   ##
=======================================
  Coverage   97.13%   97.13%           
=======================================
  Files         385      385           
  Lines        8200     8200           
=======================================
  Hits         7965     7965           
  Misses        235      235           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[martinemde]

It only trips up on links with href="<%= %>". This seems like a codeql bug.

[martinemde]

oh no, I ended up with fancy quotes in here somehow. Very strange. This was the cause of CodeQL not understanding the rel attribute