fix(openLinksInNewWindow): add rel="noopener noreferrer" to links

Add rel="noreferrer" to links when openLinksInNewWindow is on. Also add noopener when openLinksInNewWindow is on.
target="_blank" without also adding rel="noopener noreferrer" creates a vulnerability
(since the site you're linking to has access to the window.opener by default.
This  adds rel="noopener noreferrer" to links generated by the makeHtml converter when openLinksInNewWindow is true.

Closes #670

Author: jammerware

dist/showdown.js

@@ -48,7 +48,7 @@ showdown.subParser('anchors', function (text, options, globals) {
     // to external links. Hash links (#) open in same page
     if (options.openLinksInNewWindow && !/^#/.test(url)) {
       // escaped _
-      result += ' target="¨E95Eblank"';
+      result += ' rel="noopener noreferrer" target="¨E95Eblank"';
     }
 
     result += '>' + linkText + '</a>';
@@ -87,7 +87,7 @@ showdown.subParser('anchors', function (text, options, globals) {
       var lnk = options.ghMentionsLink.replace(/\{u}/g, username),
           target = '';
       if (options.openLinksInNewWindow) {
-        target = ' target="¨E95Eblank"';
+        target = ' rel="noopener noreferrer" target="¨E95Eblank"';
       }
       return st + '<a href="' + lnk + '"' + target + '>' + mentions + '</a>';
     });

dist/showdown.js.map

@@ -22,7 +22,7 @@ var simpleURLRegex  = /([*~_]+|\b)(((https?|ftp|dict):\/\/|www\.)[^'">\s]+?\.[^'
           append = trailingPunctuation;
         }
         if (options.openLinksInNewWindow) {
-          target = ' target="¨E95Eblank"';
+          target = ' rel="noopener noreferrer" target="¨E95Eblank"';
         }
         return lmc + '<a href="' + link + '"' + target + '>' + lnkTxt + '</a>' + append + tmc;
       };

dist/showdown.min.js

@@ -1,2 +1,2 @@
-<p>My <a href="http://example.com" target="_blank">link</a> is <em>important</em></p>
-<p>My <a href="http://example.com" target="_blank">link</a> is <strong>important</strong></p>
+<p>My <a href="http://example.com" rel="noopener noreferrer" target="_blank">link</a> is <em>important</em></p>
+<p>My <a href="http://example.com" rel="noopener noreferrer" target="_blank">link</a> is <strong>important</strong></p>

dist/showdown.min.js.map

@@ -1,2 +1,2 @@
-<p><a href="www.google.com" target="_blank">foo</a></p>
-<p>a link <a href="http://www.google.com" target="_blank">http://www.google.com</a></p>
+<p><a href="www.google.com" rel="noopener noreferrer" target="_blank">foo</a></p>
+<p>a link <a href="http://www.google.com" rel="noopener noreferrer" target="_blank">http://www.google.com</a></p>

src/subParsers/anchors.js

@@ -1,2 +1,2 @@
-<p><a href="www.google.com" target="_blank">foo</a></p>
-<p>a link <a href="http://www.google.com" target="_blank">http://www.google.com</a></p>
+<p><a href="www.google.com" rel="noopener noreferrer" target="_blank">foo</a></p>
+<p>a link <a href="http://www.google.com" rel="noopener noreferrer" target="_blank">http://www.google.com</a></p>

src/subParsers/autoLinks.js

@@ -1 +1 @@
-<p>this is <a href="http://www.google.com" target="_blank">http://www.google.com</a> autolink</p>
+<p>this is <a href="http://www.google.com" rel="noopener noreferrer" target="_blank">http://www.google.com</a> autolink</p>