From 2a44c832507aa108ef4ff598c0091ceb06841ff1 Mon Sep 17 00:00:00 2001
From: Joel Purra <code+github@joelpurra.com>
Date: Tue, 27 Jan 2015 12:21:38 +0100
Subject: [PATCH] referer: exported html pads no longer leak URL/location
 through referer header

Exported HTML can, when loaded from disk or an online server, also leak the
location. Applying the `rel="noreferrer"` HTML5 standard mitigate the problem
for compatible browsers.

https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer

This commit was originally part of https://github.com/ether/etherpad-lite/pull/2498
---
 src/node/utils/ExportHtml.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/node/utils/ExportHtml.js b/src/node/utils/ExportHtml.js
index 18b32d247..086ec89e9 100644
--- a/src/node/utils/ExportHtml.js
+++ b/src/node/utils/ExportHtml.js
@@ -285,7 +285,10 @@ function getHTMLFromAtext(pad, atext, authorColors)
         var url = urlData[1];
         var urlLength = url.length;
         processNextChars(startIndex - idx);
-        assem.append('<a href="' + Security.escapeHTMLAttribute(url) + '">');
+        // Using rel="noreferrer" stops leaking the URL/location of the exported HTML when clicking links in the document.
+        // Not all browsers understand this attribute, but it's part of the HTML5 standard.
+        // http://www.w3.org/TR/html5/links.html#link-type-noreferrer
+        assem.append('<a href="' + Security.escapeHTMLAttribute(url) + '" rel="noreferrer">');
         processNextChars(urlLength);
         assem.append('</a>');
       });