From 590a16ed72db56f26c26a03e3400b0794d5016f6 Mon Sep 17 00:00:00 2001
From: EdOverflow <diopterasec@gmail.com>
Date: Mon, 19 Dec 2016 20:24:04 +0100
Subject: [PATCH] Add rel="noopener noreferrer" to target="_blank".

This should be added as a precaution against reverse tabnabbing. For
more information, please refer to the following article:
https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
---
 templates/profile-edit.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/profile-edit.html b/templates/profile-edit.html
index cbb660ef32..dcdb81e1ca 100644
--- a/templates/profile-edit.html
+++ b/templates/profile-edit.html
@@ -21,8 +21,8 @@ <h2>{{ _("Statement") }}
         <textarea name="content" rows="15" placeholder="{{ stmt_placeholder }}"
                   data-confirm-discard="{{ confirm_discard }}"></textarea>
         <p class="help">{{ _("Markdown supported.") }}
-            <a href="https://daringfireball.net/projects/markdown/basics" target="_blank">{{ _("What is markdown?") }}</a>
-            (<a href="https://github.com/gratipay/gratipay.com/tree/master/gratipay/utils/markdown.py" target="_blank">{{ _("View source.") }}</a>)
+            <a href="https://daringfireball.net/projects/markdown/basics" target="_blank" rel="noopener noreferrer">{{ _("What is markdown?") }}</a>
+            (<a href="https://github.com/gratipay/gratipay.com/tree/master/gratipay/utils/markdown.py" target="_blank" rel="noopener noreferrer">{{ _("View source.") }}</a>)
         </p>
         <button class="save">{{ _("Save") }}</button>
         <button class="cancel">{{ _("Cancel") }}</button>