From 384d3526519304b3e53020419d7c5fe8cefc1994 Mon Sep 17 00:00:00 2001
From: Aziz Becha <aziz07becha@gmail.com>
Date: Sat, 2 May 2026 21:35:04 +0100
Subject: [PATCH] add rel="noopener noreferrer" to external links

The shared <A> component defaults target to "_blank" but did not set rel,
exposing the new tab to window.opener-based tabnabbing and leaking the referrer.
Now sets rel="noopener noreferrer" whenever the resolved target is "_blank".
---
 common/styleguide.tsx | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/common/styleguide.tsx b/common/styleguide.tsx
index 890f1767..16f02bad 100644
--- a/common/styleguide.tsx
+++ b/common/styleguide.tsx
@@ -140,7 +140,11 @@ export function A({
         href={href}
         numberOfLines={containerStyle ? 1 : undefined}
         target={target ?? '_blank'}
-        hrefAttrs={{ target: target ?? '_blank' }}
+        rel={(target ?? '_blank') === '_blank' ? 'noopener noreferrer' : undefined}
+        hrefAttrs={{
+          target: target ?? '_blank',
+          ...((target ?? '_blank') === '_blank' ? { rel: 'noopener noreferrer' } : {}),
+        }}
         style={[linkStyles, isHovered && linkHoverStyles, style, isHovered && hoverStyle]}>
         {children}
       </HtmlElements.A>