From f26789d813c3bb29dd046d35e8ff19918a4516f2 Mon Sep 17 00:00:00 2001
From: seancrater <sean@seancrater.com>
Date: Mon, 12 Nov 2018 14:00:55 -0500
Subject: [PATCH] [Fix] `jsx-no-target-blank`: allow `no-referrer` without
 `noopener` by default

Fixes #2022.
---
 docs/rules/jsx-no-target-blank.md      |  9 +++++----
 lib/rules/jsx-no-target-blank.js       |  8 ++++----
 tests/lib/rules/jsx-no-target-blank.js | 18 ++++++++++++++----
 3 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/docs/rules/jsx-no-target-blank.md b/docs/rules/jsx-no-target-blank.md
index 0abc0719ea..d87eef3dfb 100644
--- a/docs/rules/jsx-no-target-blank.md
+++ b/docs/rules/jsx-no-target-blank.md
@@ -2,14 +2,14 @@
 
 When creating a JSX element that has an `a` tag, it is often desired to have
 the link open in a new tab using the `target='_blank'` attribute. Using this
-attribute unaccompanied by `rel='noreferrer noopener'`, however, is a severe
-security vulnerability ([see here for more details](https://mathiasbynens.github.io/rel-noopener))
-This rules requires that you accompany `target='_blank'` attributes with `rel='noreferrer noopener'`.
+attribute unaccompanied by `rel='noreferrer'`, however, is a severe
+security vulnerability ([see here for more details](https://html.spec.whatwg.org/multipage/links.html#link-type-noopener))
+This rules requires that you accompany `target='_blank'` attributes with `rel='noreferrer'`.
 
 ## Rule Details
 
 This rule aims to prevent user generated links from creating security vulnerabilities by requiring
-`rel='noreferrer noopener'` for external links, and optionally any dynamically generated links.
+`rel='noreferrer'` for external links, and optionally any dynamically generated links.
 
 ## Rule Options
 ```json
@@ -39,6 +39,7 @@ The following patterns are **not** considered errors:
 
 ```jsx
 var Hello = <p target="_blank"></p>
+var Hello = <a target="_blank" rel="noreferrer" href="http://example.com"></a>
 var Hello = <a target="_blank" rel="noopener noreferrer" href="http://example.com"></a>
 var Hello = <a target="_blank" href="relative/path/in/the/host"></a>
 var Hello = <a target="_blank" href="/absolute/path/in/the/host"></a>
diff --git a/lib/rules/jsx-no-target-blank.js b/lib/rules/jsx-no-target-blank.js
index 41b3de4ef9..61c606cc18 100644
--- a/lib/rules/jsx-no-target-blank.js
+++ b/lib/rules/jsx-no-target-blank.js
@@ -53,7 +53,7 @@ function hasSecureRel(element, allowReferrer) {
           attr.value.expression.value
         ));
       const tags = value && value.toLowerCase && value.toLowerCase().split(' ');
-      return tags && tags.indexOf('noopener') >= 0 && (allowReferrer || tags.indexOf('noreferrer') >= 0);
+      return tags && (allowReferrer ? tags.indexOf('noopener') >= 0 : tags.indexOf('noreferrer') >= 0);
     }
     return false;
   });
@@ -62,7 +62,7 @@ function hasSecureRel(element, allowReferrer) {
 module.exports = {
   meta: {
     docs: {
-      description: 'Forbid target="_blank" attribute without rel="noopener noreferrer"',
+      description: 'Forbid target="_blank" attribute without rel="noreferrer"',
       category: 'Best Practices',
       recommended: true,
       url: docsUrl('jsx-no-target-blank')
@@ -102,8 +102,8 @@ module.exports = {
         if (hasExternalLink(node.parent, linkAttribute) || (enforceDynamicLinks === 'always' && hasDynamicLink(node.parent, linkAttribute))) {
           context.report({
             node,
-            message: 'Using target="_blank" without rel="noopener noreferrer" ' +
-              'is a security risk: see https://mathiasbynens.github.io/rel-noopener'
+            message: 'Using target="_blank" without rel="noreferrer" ' +
+              'is a security risk: see https://html.spec.whatwg.org/multipage/links.html#link-type-noopener'
           });
         }
       }
diff --git a/tests/lib/rules/jsx-no-target-blank.js b/tests/lib/rules/jsx-no-target-blank.js
index cd5b7df311..fa036f2340 100644
--- a/tests/lib/rules/jsx-no-target-blank.js
+++ b/tests/lib/rules/jsx-no-target-blank.js
@@ -26,8 +26,8 @@ const parserOptions = {
 
 const ruleTester = new RuleTester({parserOptions});
 const defaultErrors = [{
-  message: 'Using target="_blank" without rel="noopener noreferrer" is a security risk:' +
-  ' see https://mathiasbynens.github.io/rel-noopener'
+  message: 'Using target="_blank" without rel="noreferrer" is a security risk:' +
+  ' see https://html.spec.whatwg.org/multipage/links.html#link-type-noopener'
 }];
 
 ruleTester.run('jsx-no-target-blank', rule, {
@@ -36,18 +36,28 @@ ruleTester.run('jsx-no-target-blank', rule, {
     {code: '<a randomTag></a>'},
     {code: '<a target />'},
     {code: '<a href="foobar" target="_blank" rel="noopener noreferrer"></a>'},
+    {code: '<a href="foobar" target="_blank" rel="noreferrer"></a>'},
     {code: '<a href="foobar" target="_blank" rel={"noopener noreferrer"}></a>'},
+    {code: '<a href="foobar" target="_blank" rel={"noreferrer"}></a>'},
     {code: '<a href={"foobar"} target={"_blank"} rel={"noopener noreferrer"}></a>'},
+    {code: '<a href={"foobar"} target={"_blank"} rel={"noreferrer"}></a>'},
     {code: '<a href={\'foobar\'} target={\'_blank\'} rel={\'noopener noreferrer\'}></a>'},
+    {code: '<a href={\'foobar\'} target={\'_blank\'} rel={\'noreferrer\'}></a>'},
     {code: '<a href={`foobar`} target={`_blank`} rel={`noopener noreferrer`}></a>'},
+    {code: '<a href={`foobar`} target={`_blank`} rel={`noreferrer`}></a>'},
     {code: '<a target="_blank" {...spreadProps} rel="noopener noreferrer"></a>'},
+    {code: '<a target="_blank" {...spreadProps} rel="noreferrer"></a>'},
     {code: '<a {...spreadProps} target="_blank" rel="noopener noreferrer" href="http://example.com">s</a>'},
+    {code: '<a {...spreadProps} target="_blank" rel="noreferrer" href="http://example.com">s</a>'},
     {code: '<a target="_blank" rel="noopener noreferrer" {...spreadProps}></a>'},
+    {code: '<a target="_blank" rel="noreferrer" {...spreadProps}></a>'},
     {code: '<p target="_blank"></p>'},
-    {code: '<a href="foobar" target="_BLANK" rel="NOOPENER noreferrer"></a>'},
+    {code: '<a href="foobar" target="_BLANK" rel="NOREFERRER"></a>'},
     {code: '<a target="_blank" rel={relValue}></a>'},
     {code: '<a target={targetValue} rel="noopener noreferrer"></a>'},
+    {code: '<a target={targetValue} rel="noreferrer"></a>'},
     {code: '<a target={targetValue} rel={"noopener noreferrer"}></a>'},
+    {code: '<a target={targetValue} rel={"noreferrer"}></a>'},
     {code: '<a target={targetValue} href="relative/path"></a>'},
     {code: '<a target={targetValue} href="/absolute/path"></a>'},
     {code: '<a target={\'targetValue\'} href="/absolute/path"></a>'},
@@ -87,7 +97,7 @@ ruleTester.run('jsx-no-target-blank', rule, {
     code: '<a target="_blank" rel="" href="http://example.com"></a>',
     errors: defaultErrors
   }, {
-    code: '<a target="_blank" rel="noopenernoreferrer" href="http://example.com"></a>',
+    code: '<a target="_blank" rel="no referrer" href="http://example.com"></a>',
     errors: defaultErrors
   }, {
     code: '<a target="_BLANK" href="http://example.com"></a>',