Open newsletter links in new tab (instead of iframe)
nicholaschiang opened this issue · 3 comments
Similar to what Gmail already does, we should modify all the links within an HTML email to open in a new tab. We should also take care of any security concerns like tabnabbing by using rel
attributes:
<link href="https://external-link.com" rel="noopener noreferrer" target="_blank" />
See this original Notion issue from @jurajpal or @martinsrna (I'm not sure).
Some StackOverflow answers on how to safely parse and display HTML emails:
- https://stackoverflow.com/a/27062920
- https://stackoverflow.com/a/27198044
- https://security.stackexchange.com/a/82786
Ideally, we'd want to just do what Gmail does: embed a safe "bleached" version of the HTML email directly into the DOM. To do this, we need a secure way to sanitize the email HTML and ensure that it is safe to embed directly. There are a couple of popular libraries for this (because we definitely should not build this ourselves):
- DOMPurify - An open-source solution used by Mailpile and Whiteout Mail.
- Google Caja - This is deprecated (see GitHub); it is recommended to use Closure instead.
- Google Closure - A developer toolkit (see GitHub) that includes
SafeHTML
utilities we could use to sanitize HTML emails before embedding them directly into the DOM. This is probably what Gmail uses.
Once we sanitize the HTML emails, we will probably want to take that a step further and, instead of embedding them directly into the DOM, we should place them within a sandboxed iframe
and implement a strict CSP to prevent XSS attacks.
This issue itself would be easily solved using a DOMPurify
hook:
DOMPurify.addHook('afterSanitizeAttributes', function(node) {
// open all links in a new window
if ('target' in node) {
node.setAttribute('target', '_blank');
}
});
Some more packages reviewed by this article on preventing XSS attacks: