SECURITY: Use `rel="noopener"` every time we use `target="_blank"` (#425)

SECURITY: Use rel="noopener" every time we use target="_blank" (#425)

diff --git a/lib/onebox/engine/cloudapp_onebox.rb b/lib/onebox/engine/cloudapp_onebox.rb
index 9f4422d..93a4199 100644
--- a/lib/onebox/engine/cloudapp_onebox.rb
+++ b/lib/onebox/engine/cloudapp_onebox.rb
@@ -25,7 +25,7 @@ module Onebox
 
       def link_html(og)
         <<-HTML
-            <a href='#{og.url}' target='_blank'>
+            <a href='#{og.url}' target='_blank' rel='noopener'>
               #{og.title}
             </a>
           HTML
@@ -43,7 +43,7 @@ module Onebox
 
       def image_html(og)
         <<-HTML
-            <a href='#{og.url}' target='_blank' class='onebox'>
+            <a href='#{og.url}' target='_blank' class='onebox' rel='noopener'>
               <img src='#{og.image}' #{og.title_attr} alt='CloudApp' width='480'>
             </a>
           HTML
diff --git a/lib/onebox/engine/flickr_onebox.rb b/lib/onebox/engine/flickr_onebox.rb
index 94c05a5..dd22b48 100644
--- a/lib/onebox/engine/flickr_onebox.rb
+++ b/lib/onebox/engine/flickr_onebox.rb
@@ -26,7 +26,7 @@ module Onebox
 
         <<-HTML
             <div class='onebox flickr-album'>
-              <a href='#{escaped_url}' target='_blank'>
+              <a href='#{escaped_url}' target='_blank' rel='noopener'>
                 <span class='outer-box' style='max-width:#{og.image_width}px'>
                   <span class='inner-box'>
                     <span class='album-title'>#{album_title}</span>
@@ -42,7 +42,7 @@ module Onebox
         escaped_url = ::Onebox::Helpers.normalize_url_for_output(url)
 
         <<-HTML
-            <a href='#{escaped_url}' target='_blank' class="onebox">
+            <a href='#{escaped_url}' target='_blank' rel='noopener' class="onebox">
               <img src='#{og.get_secure_image}' #{og.title_attr} alt='Imgur' height='#{og.image_height}' width='#{og.image_width}'>
             </a>
           HTML
diff --git a/lib/onebox/engine/giphy_onebox.rb b/lib/onebox/engine/giphy_onebox.rb
index c54b9b1..10709b9 100644
--- a/lib/onebox/engine/giphy_onebox.rb
+++ b/lib/onebox/engine/giphy_onebox.rb
@@ -13,7 +13,7 @@ module Onebox
         oembed = get_oembed
 
         <<-HTML
-          <a href="#{oembed.url}" target="_blank" class="onebox">
+          <a href="#{oembed.url}" target="_blank" rel="noopener" class="onebox">
             <img src="#{oembed.url}" width="#{oembed.width}" height="#{oembed.height}" #{oembed.title_attr}>
           </a>
         HTML
diff --git a/lib/onebox/engine/google_photos_onebox.rb b/lib/onebox/engine/google_photos_onebox.rb
index fbd9cb0..6fb5356 100644
--- a/lib/onebox/engine/google_photos_onebox.rb
+++ b/lib/onebox/engine/google_photos_onebox.rb
@@ -33,7 +33,7 @@ module Onebox
 
         <<-HTML
             <div class='onebox google-photos-album'>
-              <a href='#{escaped_url}' target='_blank'>
+              <a href='#{escaped_url}' target='_blank' rel='noopener'>
                 <span class='outer-box' style='width:#{og.image_width}px'>
                   <span class='inner-box'>
                     <span class='album-title'>#{Onebox::Helpers.truncate(album_title, 80)}</span>
@@ -49,7 +49,7 @@ module Onebox
         escaped_url = ::Onebox::Helpers.normalize_url_for_output(url)
 
         <<-HTML
-            <a href='#{escaped_url}' target='_blank' class="onebox">
+            <a href='#{escaped_url}' target='_blank' rel='noopener' class="onebox">
               <img src='#{og.get_secure_image}' #{og.title_attr} alt='Google Photos' height='#{og.image_height}' width='#{og.image_width}'>
             </a>
           HTML
diff --git a/lib/onebox/engine/image_onebox.rb b/lib/onebox/engine/image_onebox.rb
index 5be1ec4..dc7f190 100644
--- a/lib/onebox/engine/image_onebox.rb
+++ b/lib/onebox/engine/image_onebox.rb
@@ -19,7 +19,7 @@ module Onebox
 
         escaped_url = ::Onebox::Helpers.normalize_url_for_output(@url)
         <<-HTML
-          <a href="#{escaped_url}" target="_blank" class="onebox">
+          <a href="#{escaped_url}" target="_blank" rel="noopener" class="onebox">
             <img src="#{escaped_url}">
           </a>
         HTML
diff --git a/lib/onebox/engine/imgur_onebox.rb b/lib/onebox/engine/imgur_onebox.rb
index 24b7b24..dc5c2e0 100644
--- a/lib/onebox/engine/imgur_onebox.rb
+++ b/lib/onebox/engine/imgur_onebox.rb
@@ -34,7 +34,7 @@ module Onebox
 
         <<-HTML
             <div class='onebox imgur-album'>
-              <a href='#{escaped_url}' target='_blank'>
+              <a href='#{escaped_url}' target='_blank' rel='noopener'>
                 <span class='outer-box' style='width:#{og.image_width}px'>
                   <span class='inner-box'>
                     <span class='album-title'>#{album_title}</span>
@@ -57,7 +57,7 @@ module Onebox
         escaped_url = ::Onebox::Helpers.normalize_url_for_output(url)
 
         <<-HTML
-            <a href='#{escaped_url}' target='_blank' class="onebox">
+            <a href='#{escaped_url}' target='_blank' rel='noopener' class="onebox">
               <img src='#{og.get_secure_image}' #{og.title_attr} alt='Imgur' height='#{og.image_height}' width='#{og.image_width}'>
             </a>
           HTML
diff --git a/spec/lib/onebox/engine/google_drive_onebox_spec.rb b/spec/lib/onebox/engine/google_drive_onebox_spec.rb
index 105a0d5..3c90de4 100644
--- a/spec/lib/onebox/engine/google_drive_onebox_spec.rb
+++ b/spec/lib/onebox/engine/google_drive_onebox_spec.rb
@@ -11,7 +11,7 @@ describe Onebox::Engine::GoogleDriveOnebox do
   end
 
   it "includes title" do
-    expect(html).to include('<a href="https://drive.google.com/file/d/1FgMt06wENEUfC6_-1tImXaNCH7vM9QsA/view" target="_blank">test.txt</a>')
+    expect(html).to include('<a href="https://drive.google.com/file/d/1FgMt06wENEUfC6_-1tImXaNCH7vM9QsA/view" target="_blank" rel="noopener">test.txt</a>')
   end
 
   it "includes image" do
diff --git a/spec/lib/onebox/engine/instagram_onebox_spec.rb b/spec/lib/onebox/engine/instagram_onebox_spec.rb
index 7723862..bfdd2db 100644
--- a/spec/lib/onebox/engine/instagram_onebox_spec.rb
+++ b/spec/lib/onebox/engine/instagram_onebox_spec.rb
@@ -11,7 +11,7 @@ describe Onebox::Engine::InstagramOnebox do
   end
 
   it "includes title" do
-    expect(html).to include('<a href="https://www.instagram.com/p/BgSPalMjddb/" target="_blank">National Geographic</a>')
+    expect(html).to include('<a href="https://www.instagram.com/p/BgSPalMjddb/" target="_blank" rel="noopener">National Geographic</a>')
   end
 
   it "includes image" do
diff --git a/templates/_layout.mustache b/templates/_layout.mustache
index cb3ef27..e6008f3 100644
--- a/templates/_layout.mustache
+++ b/templates/_layout.mustache
@@ -4,10 +4,10 @@
       <img src="{{favicon}}" class="site-icon"/>
     {{/favicon}}
     {{#article_published_time}}
-      <a href="{{link}}" target='_blank' title="{{article_published_time_title}}">{{domain}} &ndash; {{article_published_time}}</a>
+      <a href="{{link}}" target='_blank' rel='noopener' title="{{article_published_time_title}}">{{domain}} &ndash; {{article_published_time}}</a>
     {{/article_published_time}}
     {{^article_published_time}}
-      <a href="{{link}}" target='_blank'>{{domain}}</a>
+      <a href="{{link}}" target='_blank' rel='noopener'>{{domain}}</a>
     {{/article_published_time}}
   </header>
   <article class="onebox-body">
diff --git a/templates/amazon.mustache b/templates/amazon.mustache
index 0898c7d..7a99d7f 100644
--- a/templates/amazon.mustache
+++ b/templates/amazon.mustache
@@ -1,6 +1,6 @@
 {{#image}}<img src="{{image}}" class="thumbnail"/>{{/image}}
 
-<h3><a href='{{link}}' target='_blank'>{{title}}</a></h3>
+<h3><a href='{{link}}' target='_blank' rel='noopener'>{{title}}</a></h3>
 {{#by_info}}<b>{{by_info}}</b>{{/by_info}}
 <p>{{description}}</p>
 <p>
diff --git a/templates/githubblob.mustache b/templates/githubblob.mustache
index 7fc1cc9..2cf9af5 100644
--- a/templates/githubblob.mustache
+++ b/templates/githubblob.mustache
@@ -1,4 +1,4 @@

[... diff too long, it was truncated ...]

GitHub sha: 14249bd9

This commit appears in #425 which was approved by danielwaterworth and davidtaylorhq. It was merged by eviltrout.