fix(transcription): add noreferrer to mention dropdown create-new link

For issue #380 (Nora CWE-116). The "Neue Person anlegen" link opens in a new tab and was missing `noreferrer` — the new tab could read window.opener and the referrer leaked the transcription URL. Same-origin risk is low but the omission was unintentional. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-19 21:05:03 +02:00
parent 5099dfa424
commit e1b5c1b15c
2 changed files with 14 additions and 1 deletions
--- a/frontend/src/lib/shared/discussion/MentionDropdown.svelte
+++ b/frontend/src/lib/shared/discussion/MentionDropdown.svelte
@@ -188,7 +188,7 @@ function selectItem(item: Person) {
 		<a
 			href="/persons/new"
 			target="_blank"
-			rel="noopener"
+			rel="noopener noreferrer"
 			class="flex min-h-[44px] items-center gap-2 border-t border-line px-3 py-2.5 font-sans text-sm font-medium text-brand-navy hover:bg-canvas focus:bg-canvas focus:outline-none"
 			onmousedown={(e) => e.preventDefault()}
 		>
--- a/frontend/src/lib/shared/discussion/MentionDropdown.svelte.spec.ts
+++ b/frontend/src/lib/shared/discussion/MentionDropdown.svelte.spec.ts
@@ -77,6 +77,19 @@ describe('MentionDropdown — search input', () => {
 		await expect.element(page.getByText(m.person_mention_search_prompt())).not.toBeInTheDocument();
 	});

+	it('"create new person" link has rel="noopener noreferrer" (CWE-116)', async () => {
+		render(MentionDropdown, {
+			model: makeModel([]),
+			editorQuery: 'unknown', // non-empty so the empty-state link renders
+			onSearch: () => {}
+		});
+
+		const link = document.querySelector('a[href="/persons/new"]') as HTMLAnchorElement;
+		expect(link).not.toBeNull();
+		expect(link.getAttribute('rel')).toContain('noopener');
+		expect(link.getAttribute('rel')).toContain('noreferrer');
+	});
+
 	it('search input wrapper meets the 44px touch target (WCAG 2.2 AA)', async () => {
 		render(MentionDropdown, {
 			model: makeModel(),