external link treatment (#1133)

* external link treatment

* fix type

* _self, not self

* document links

* doc edits

* add local image example

* add markdown-in-html example

---------

Co-authored-by: Philippe Rivière <[email protected]>

Author: mbostock

docs/markdown.md

@@ -87,9 +87,12 @@ Cell 1-2   |   Cell 2-2   |    Cell 3-2
 [external link](<https://en.wikipedia.org/wiki/Tar_(computing)>)
 ```
 
+For privacy and convenience, links to external resources are given a default `rel` attribute of [`noreferrer`](https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/noreferrer) and [`noopener`](https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/noopener), and a default `target` attribute of [`_blank`](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#target). Hence by default an external link will open in a new window and not pass the (potentially sensitive) referrer to the (potentially untrusted) external site. You can override this behavior by specifying the `rel` or `target` attribute explicitly. For example `<a href="https://example.com" target="_self">` will open in the same window, and `<a href="https://acme.com" rel="">` will allow the referrer.
+
 ## Images
 
 ```md
+![A horse](./horse.jpg)
 ![A happy kitten](https://placekitten.com/200/300)
 ```
 
@@ -111,4 +114,28 @@ This produces:
   This text is not visible by default.
 </details>
 
+You can put Markdown inside of HTML by surrounding it with blank lines:
+
+<div class="grid grid-cols-4">
+  <div class="card">
+
+## Card title
+
+This is **Markdown** inside of _HTML_!
+
+  </div>
+</div>
+
+```md run=false
+<div class="grid grid-cols-4">
+  <div class="card">
+
+## Card title
+
+This is **Markdown** inside of _HTML_!
+
+  </div>
+</div>
+```
+
 Also see [Hypertext Literal](./lib/htl) for generating dynamic HTML in JavaScript.

observablehq.config.ts

@@ -107,7 +107,7 @@ export default {
   }
 <script type="module">/Win/.test(navigator.platform) || Array.from(document.querySelectorAll(".win"), (e) => e.remove())</script>`,
   header: `<div style="display: flex; align-items: center; gap: 0.5rem; height: 2.2rem; margin: -1.5rem -2rem 2rem -2rem; padding: 0.5rem 2rem; border-bottom: solid 1px var(--theme-foreground-faintest); font: 500 16px var(--sans-serif);">
-  <a href="https://observablehq.com/" style="display: flex; align-items: center;">
+  <a href="https://observablehq.com/" target="_self" style="display: flex; align-items: center;">
     <svg width="22" height="22" viewBox="0 0 21.92930030822754 22.68549919128418" fill="currentColor">
       <path d="M10.9646 18.9046C9.95224 18.9046 9.07507 18.6853 8.33313 18.2467C7.59386 17.8098 7.0028 17.1909 6.62722 16.4604C6.22789 15.7003 5.93558 14.8965 5.75735 14.0684C5.56825 13.1704 5.47613 12.2574 5.48232 11.3427C5.48232 10.6185 5.52984 9.92616 5.62578 9.26408C5.7208 8.60284 5.89715 7.93067 6.15391 7.24843C6.41066 6.56618 6.74143 5.97468 7.14438 5.47308C7.56389 4.9592 8.1063 4.54092 8.72969 4.25059C9.38391 3.93719 10.1277 3.78091 10.9646 3.78091C11.977 3.78091 12.8542 4.00021 13.5962 4.43879C14.3354 4.87564 14.9265 5.49454 15.3021 6.22506C15.6986 6.97704 15.9883 7.7744 16.1719 8.61712C16.3547 9.459 16.447 10.3681 16.447 11.3427C16.447 12.067 16.3995 12.7593 16.3035 13.4214C16.2013 14.1088 16.0206 14.7844 15.7644 15.437C15.4994 16.1193 15.1705 16.7108 14.7739 17.2124C14.3774 17.714 13.8529 18.1215 13.1996 18.4349C12.5463 18.7483 11.8016 18.9046 10.9646 18.9046ZM12.8999 13.3447C13.4242 12.8211 13.7159 12.0966 13.7058 11.3427C13.7058 10.5639 13.4436 9.89654 12.92 9.34074C12.3955 8.78495 11.7441 8.50705 10.9646 8.50705C10.1852 8.50705 9.53376 8.78495 9.00928 9.34074C8.49569 9.87018 8.21207 10.5928 8.22348 11.3427C8.22348 12.1216 8.48572 12.7889 9.00928 13.3447C9.53376 13.9005 10.1852 14.1784 10.9646 14.1784C11.7441 14.1784 12.3891 13.9005 12.8999 13.3447ZM10.9646 22.6855C17.0199 22.6855 21.9293 17.6068 21.9293 11.3427C21.9293 5.07871 17.0199 0 10.9646 0C4.90942 0 0 5.07871 0 11.3427C0 17.6068 4.90942 22.6855 10.9646 22.6855Z"></path>
     </svg>

src/html.ts

@@ -145,6 +145,13 @@ export function rewriteHtml(
     script.setAttribute("src", (isJavaScript(script) ? resolveScript : maybeResolveFile)(src));
   }
 
+  for (const a of document.querySelectorAll<HTMLAnchorElement>("a[href]")) {
+    const href = a.getAttribute("href")!;
+    if (!/^(\w+:)/.test(href)) continue;
+    if (!a.hasAttribute("target")) a.setAttribute("target", "_blank");
+    if (!a.hasAttribute("rel")) a.setAttribute("rel", "noopener noreferrer");
+  }
+
   // Syntax highlighting for <code> elements. The code could contain an inline
   // expression within, or other HTML, but we only highlight text nodes that are
   // direct children of code elements.

test/output/build/404/404.html

@@ -34,6 +34,6 @@ <h1 id="page-not-found" tabindex="-1"><a class="observablehq-header-anchor" href
 <p>Sorry, but we can’t find the page you requested.</p>
 </main>
 <footer id="observablehq-footer">
-<div>Built with <a href="https://observablehq.com/" target="_blank">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
+<div>Built with <a href="https://observablehq.com/" target="_blank" rel="noopener noreferrer">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
 </footer>
 </div>

test/output/build/archives.posix/tar.html

@@ -96,6 +96,6 @@ <h1 id="tar" tabindex="-1"><a class="observablehq-header-anchor" href="#tar">Tar
 </main>
 <footer id="observablehq-footer">
 <nav><a rel="prev" href="./"><span>Home</span></a><a rel="next" href="./zip"><span>Zip</span></a></nav>
-<div>Built with <a href="https://observablehq.com/" target="_blank">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
+<div>Built with <a href="https://observablehq.com/" target="_blank" rel="noopener noreferrer">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
 </footer>
 </div>

test/output/build/archives.posix/zip.html

@@ -77,6 +77,6 @@ <h1 id="zip" tabindex="-1"><a class="observablehq-header-anchor" href="#zip">Zip
 </main>
 <footer id="observablehq-footer">
 <nav><a rel="prev" href="./tar"><span>Tar</span></a></nav>
-<div>Built with <a href="https://observablehq.com/" target="_blank">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
+<div>Built with <a href="https://observablehq.com/" target="_blank" rel="noopener noreferrer">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
 </footer>
 </div>

test/output/build/archives.win32/tar.html

@@ -64,6 +64,6 @@ <h1 id="tar" tabindex="-1"><a class="observablehq-header-anchor" href="#tar">Tar
 </main>
 <footer id="observablehq-footer">
 <nav><a rel="prev" href="./"><span>Home</span></a><a rel="next" href="./zip"><span>Zip</span></a></nav>
-<div>Built with <a href="https://observablehq.com/" target="_blank">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
+<div>Built with <a href="https://observablehq.com/" target="_blank" rel="noopener noreferrer">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
 </footer>
 </div>

test/output/build/archives.win32/zip.html

@@ -56,6 +56,6 @@ <h1 id="zip" tabindex="-1"><a class="observablehq-header-anchor" href="#zip">Zip
 </main>
 <footer id="observablehq-footer">
 <nav><a rel="prev" href="./tar"><span>Tar</span></a></nav>
-<div>Built with <a href="https://observablehq.com/" target="_blank">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
+<div>Built with <a href="https://observablehq.com/" target="_blank" rel="noopener noreferrer">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
 </footer>
 </div>

test/output/build/config/closed/page.html

@@ -46,6 +46,6 @@ <h1 id="a-page%E2%80%A6" tabindex="-1"><a class="observablehq-header-anchor" hre
 </main>
 <footer id="observablehq-footer">
 <nav><a rel="prev" href="../sub/two"><span>Two</span></a></nav>
-<div>Built with <a href="https://observablehq.com/" target="_blank">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
+<div>Built with <a href="https://observablehq.com/" target="_blank" rel="noopener noreferrer">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
 </footer>
 </div>

test/output/build/config/index.html

@@ -49,6 +49,6 @@ <h1 id="index" tabindex="-1"><a class="observablehq-header-anchor" href="#index"
 </main>
 <footer id="observablehq-footer">
 <nav><a rel="next" href="./one"><span>One&lt;Two</span></a></nav>
-<div>Built with <a href="https://observablehq.com/" target="_blank">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
+<div>Built with <a href="https://observablehq.com/" target="_blank" rel="noopener noreferrer">Observable</a> on <a title="2024-01-10T16:00:00">Jan 10, 2024</a>.</div>
 </footer>
 </div>