From 138bb76994ad74faff899eb7a7595965ce76c2e4 Mon Sep 17 00:00:00 2001
From: Ng Yik Phang <ngyikp@gmail.com>
Date: Wed, 23 Aug 2017 10:54:40 +0800
Subject: [PATCH] [jsx-no-target-blank] Allow noopener or noreferrer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

According to the HTML5 Standard spec:

> `<a href="..." rel="noreferrer" target="_blank">`
> has the same behavior as
> `<a href="..." rel="noreferrer noopener" target="_blank”>`

https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
---
 docs/rules/jsx-no-target-blank.md      |  9 ++++++---
 lib/rules/jsx-no-target-blank.js       |  6 +++---
 tests/lib/rules/jsx-no-target-blank.js | 20 +++++++++++---------
 3 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/docs/rules/jsx-no-target-blank.md b/docs/rules/jsx-no-target-blank.md
index ef30c808ea..a2b4cd424e 100644
--- a/docs/rules/jsx-no-target-blank.md
+++ b/docs/rules/jsx-no-target-blank.md
@@ -2,9 +2,10 @@
 
 When creating a JSX element that has an `a` tag, it is often desired to have
 the link open in a new tab using the `target='_blank'` attribute. Using this
-attribute unaccompanied by `rel='noreferrer noopener'`, however, is a severe
-security vulnerability ([see here for more details](https://mathiasbynens.github.io/rel-noopener))
-This rules requires that you accompany all `target='_blank'` attributes with `rel='noreferrer noopener'`.
+attribute unaccompanied by `rel='noopener'` or `rel='noreferrer'`, however,
+is a severe security vulnerability ([see here for more details](https://mathiasbynens.github.io/rel-noopener))
+This rule requires that you accompany all `target='_blank'` attributes with
+`rel='noopener'` or `rel='noreferrer'`.
 
 ## Rule Details
 
@@ -18,6 +19,8 @@ The following patterns are not considered errors:
 
 ```jsx
 var Hello = <p target='_blank'></p>
+var Hello = <a target='_blank' rel='noopener' href="http://example.com"></a>
+var Hello = <a target='_blank' rel='noreferrer' href="http://example.com"></a>
 var Hello = <a target='_blank' rel='noopener noreferrer' href="http://example.com"></a>
 var Hello = <a target='_blank' href="relative/path/in/the/host"></a>
 var Hello = <a target='_blank' href="/absolute/path/in/the/host"></a>
diff --git a/lib/rules/jsx-no-target-blank.js b/lib/rules/jsx-no-target-blank.js
index ccba0e21a2..79028f25ad 100644
--- a/lib/rules/jsx-no-target-blank.js
+++ b/lib/rules/jsx-no-target-blank.js
@@ -25,7 +25,7 @@ function hasSecureRel(element) {
   return element.attributes.find(attr => {
     if (attr.type === 'JSXAttribute' && attr.name.name === 'rel') {
       const tags = attr.value && attr.value.type === 'Literal' && attr.value.value.toLowerCase().split(' ');
-      return tags && (tags.indexOf('noopener') >= 0 && tags.indexOf('noreferrer') >= 0);
+      return tags && (tags.indexOf('noopener') >= 0 || tags.indexOf('noreferrer') >= 0);
     }
     return false;
   });
@@ -34,7 +34,7 @@ function hasSecureRel(element) {
 module.exports = {
   meta: {
     docs: {
-      description: 'Forbid target="_blank" attribute without rel="noopener noreferrer"',
+      description: 'Forbid target="_blank" attribute without rel="noopener" or rel="noreferrer"',
       category: 'Best Practices',
       recommended: true
     },
@@ -53,7 +53,7 @@ module.exports = {
           hasExternalLink(node.parent) &&
           !hasSecureRel(node.parent)
         ) {
-          context.report(node, 'Using target="_blank" without rel="noopener noreferrer" ' +
+          context.report(node, 'Using target="_blank" without rel="noopener" or rel="noreferrer" ' +
           'is a security risk: see https://mathiasbynens.github.io/rel-noopener');
         }
       }
diff --git a/tests/lib/rules/jsx-no-target-blank.js b/tests/lib/rules/jsx-no-target-blank.js
index a0c756cbcc..5cf45933dc 100644
--- a/tests/lib/rules/jsx-no-target-blank.js
+++ b/tests/lib/rules/jsx-no-target-blank.js
@@ -31,6 +31,8 @@ ruleTester.run('jsx-no-target-blank', rule, {
     {code: '<a randomTag></a>'},
     {code: '<a href="foobar" target="_blank" rel="noopener noreferrer"></a>'},
     {code: '<a target="_blank" {...spreadProps} rel="noopener noreferrer"></a>'},
+    {code: '<a {...spreadProps} target="_blank" rel="noopener" href="http://example.com">s</a>'},
+    {code: '<a {...spreadProps} target="_blank" rel="noreferrer" href="http://example.com">s</a>'},
     {code: '<a {...spreadProps} target="_blank" rel="noopener noreferrer" href="http://example.com">s</a>'},
     {code: '<a target="_blank" rel="noopener noreferrer" {...spreadProps}></a>'},
     {code: '<p target="_blank"></p>'},
@@ -43,55 +45,55 @@ ruleTester.run('jsx-no-target-blank', rule, {
   invalid: [{
     code: '<a target="_blank" href="http://example.com"></a>',
     errors: [{
-      message: 'Using target="_blank" without rel="noopener noreferrer" is a security risk:' +
+      message: 'Using target="_blank" without rel="noopener" or rel="noreferrer" is a security risk:' +
       ' see https://mathiasbynens.github.io/rel-noopener'
     }]
   }, {
     code: '<a target="_blank" rel="" href="http://example.com"></a>',
     errors: [{
-      message: 'Using target="_blank" without rel="noopener noreferrer" is a security risk:' +
+      message: 'Using target="_blank" without rel="noopener" or rel="noreferrer" is a security risk:' +
       ' see https://mathiasbynens.github.io/rel-noopener'
     }]
   }, {
     code: '<a target="_blank" rel="noopenernoreferrer" href="http://example.com"></a>',
     errors: [{
-      message: 'Using target="_blank" without rel="noopener noreferrer" is a security risk:' +
+      message: 'Using target="_blank" without rel="noopener" or rel="noreferrer" is a security risk:' +
       ' see https://mathiasbynens.github.io/rel-noopener'
     }]
   }, {
     code: '<a target="_BLANK" href="http://example.com"></a>',
     errors: [{
-      message: 'Using target="_blank" without rel="noopener noreferrer" is a security risk:' +
+      message: 'Using target="_blank" without rel="noopener" or rel="noreferrer" is a security risk:' +
       ' see https://mathiasbynens.github.io/rel-noopener'
     }]
   }, {
     code: '<a target="_blank" href="//example.com"></a>',
     errors: [{
-      message: 'Using target="_blank" without rel="noopener noreferrer" is a security risk:' +
+      message: 'Using target="_blank" without rel="noopener" or rel="noreferrer" is a security risk:' +
       ' see https://mathiasbynens.github.io/rel-noopener'
     }]
   }, {
     code: '<a target="_blank" href="//example.com" rel={true}></a>',
     errors: [{
-      message: 'Using target="_blank" without rel="noopener noreferrer" is a security risk:' +
+      message: 'Using target="_blank" without rel="noopener" or rel="noreferrer" is a security risk:' +
       ' see https://mathiasbynens.github.io/rel-noopener'
     }]
   }, {
     code: '<a target="_blank" href="//example.com" rel={3}></a>',
     errors: [{
-      message: 'Using target="_blank" without rel="noopener noreferrer" is a security risk:' +
+      message: 'Using target="_blank" without rel="noopener" or rel="noreferrer" is a security risk:' +
       ' see https://mathiasbynens.github.io/rel-noopener'
     }]
   }, {
     code: '<a target="_blank" href="//example.com" rel={null}></a>',
     errors: [{
-      message: 'Using target="_blank" without rel="noopener noreferrer" is a security risk:' +
+      message: 'Using target="_blank" without rel="noopener" or rel="noreferrer" is a security risk:' +
       ' see https://mathiasbynens.github.io/rel-noopener'
     }]
   }, {
     code: '<a target="_blank" href="//example.com" rel></a>',
     errors: [{
-      message: 'Using target="_blank" without rel="noopener noreferrer" is a security risk:' +
+      message: 'Using target="_blank" without rel="noopener" or rel="noreferrer" is a security risk:' +
       ' see https://mathiasbynens.github.io/rel-noopener'
     }]
   }]