Class: RuboCop::Cop::Rails::LinkToBlank

Inherits:

RuboCop::Cop

Object
RuboCop::Cop
RuboCop::Cop::Rails::LinkToBlank

show all

Defined in:: lib/rubocop/cop/rails/link_to_blank.rb

Overview

This cop checks for calls to ‘link_to` that contain a `target: ’_blank’‘ but no `rel: ’noopener’‘. This can be a security risk as the loaded page will have control over the previous page and could change its location for phishing purposes.

The option ‘rel: ’noreferrer’‘ also blocks this behavior and removes the http-referrer header.

Examples:

# bad
link_to 'Click here', url, target: '_blank'

# good
link_to 'Click here', url, target: '_blank', rel: 'noopener'

# good
link_to 'Click here', url, target: '_blank', rel: 'noreferrer'

Constant Summary collapse

MSG =

'Specify a `:rel` option containing noopener.'

Instance Method Summary collapse

#autocorrect(node) ⇒ Object

rubocop:enable Metrics/CyclomaticComplexity.
#on_send(node) ⇒ Object

rubocop:disable Metrics/CyclomaticComplexity.

Instance Method Details

#autocorrect(node) ⇒ `Object`

rubocop:enable Metrics/CyclomaticComplexity

# File 'lib/rubocop/cop/rails/link_to_blank.rb', line 51

def autocorrect(node)
  lambda do |corrector|
    send_node = node.parent.parent

    option_nodes = send_node.each_child_node(:hash)
    rel_node = nil
    option_nodes.map(&:children).each do |options|
      rel_node ||= options.find { |o| rel_node?(o) }
    end

    if rel_node
      append_to_rel(rel_node, corrector)
    else
      add_rel(send_node, node, corrector)
    end
  end
end

#on_send(node) ⇒ `Object`

rubocop:disable Metrics/CyclomaticComplexity

# File 'lib/rubocop/cop/rails/link_to_blank.rb', line 39

def on_send(node)
  return unless node.method?(:link_to)

  option_nodes = node.each_child_node(:hash)

  option_nodes.map(&:children).each do |options|
    blank = options.find { |o| blank_target?(o) }
    add_offense(blank) if blank && options.none? { |o| includes_noopener?(o) }
  end
end