Extract rule: template-link-rel-noopener

NullVoxPopuli · NullVoxPopuli · commit f584154cce4d · 2026-02-17T15:45:55.000-05:00
diff --git a/README.md b/README.md
@@ -304,6 +304,12 @@ rules in templates can be disabled with eslint directives with mustache or html
 | [route-path-style](docs/rules/route-path-style.md)                                 | enforce usage of kebab-case (instead of snake_case or camelCase) in route paths          |    |    | 💡 |
 | [routes-segments-snake-case](docs/rules/routes-segments-snake-case.md)             | enforce usage of snake_cased dynamic segments in routes                                  | ✅  |    |    |
 
+### Security
+
+| Name                                                                   | Description                                                     | 💼 | 🔧 | 💡 |
+| :--------------------------------------------------------------------- | :-------------------------------------------------------------- | :- | :- | :- |
+| [template-link-rel-noopener](docs/rules/template-link-rel-noopener.md) | require rel="noopener noreferrer" on links with target="_blank" |    | 🔧 |    |
+
 ### Services
 
 | Name                                                                                                 | Description                                                       | 💼 | 🔧 | 💡 |
diff --git a/docs/rules/template-link-rel-noopener.md b/docs/rules/template-link-rel-noopener.md
@@ -0,0 +1,13 @@
+# ember/template-link-rel-noopener
+
+🔧 This rule is automatically fixable by the [`--fix` CLI option](https://eslint.org/docs/latest/user-guide/command-line-interface#--fix).
+
+<!-- end auto-generated rule header -->
+
+## Examples
+
+See ember-template-lint documentation.
+
+## References
+
+- [ember-template-lint link-rel-noopener](https://github.com/ember-template-lint/ember-template-lint/blob/master/docs/rule/link-rel-noopener.md)
diff --git a/lib/rules/template-link-rel-noopener.js b/lib/rules/template-link-rel-noopener.js
@@ -0,0 +1,57 @@
+/** @type {import('eslint').Rule.RuleModule} */
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'require rel="noopener noreferrer" on links with target="_blank"',
+      category: 'Security',
+      strictGjs: true,
+      strictGts: true,
+      url: 'https://github.com/ember-cli/eslint-plugin-ember/tree/master/docs/rules/template-link-rel-noopener.md',
+    },
+    fixable: 'code',
+    schema: [],
+    messages: {
+      missingRel: 'links with target="_blank" must have rel="noopener noreferrer"',
+    },
+  },
+  create(context) {
+    return {
+      GlimmerElementNode(node) {
+        if (node.tag !== 'a') {
+          return;
+        }
+
+        const targetAttr = node.attributes?.find((a) => a.name === 'target');
+        if (!targetAttr?.value || targetAttr.value.type !== 'GlimmerTextNode') {
+          return;
+        }
+        if (targetAttr.value.chars !== '_blank') {
+          return;
+        }
+
+        const relAttr = node.attributes?.find((a) => a.name === 'rel');
+        const hasProperRel =
+          relAttr?.value?.type === 'GlimmerTextNode' &&
+          /noopener/.test(relAttr.value.chars) &&
+          /noreferrer/.test(relAttr.value.chars);
+
+        if (!hasProperRel) {
+          context.report({
+            node: targetAttr,
+            messageId: 'missingRel',
+            fix(fixer) {
+              const sourceCode = context.sourceCode;
+              const openTag = sourceCode.getText(node).match(/^<a[^>]*/)[0];
+              const insertPos = node.range[0] + openTag.length;
+              return fixer.insertTextBeforeRange(
+                [insertPos, insertPos],
+                ' rel="noopener noreferrer"'
+              );
+            },
+          });
+        }
+      },
+    };
+  },
+};
diff --git a/tests/lib/rules/template-link-rel-noopener.js b/tests/lib/rules/template-link-rel-noopener.js
@@ -0,0 +1,17 @@
+const rule = require('../../../lib/rules/template-link-rel-noopener');
+const RuleTester = require('eslint').RuleTester;
+
+const ruleTester = new RuleTester({
+  parser: require.resolve('ember-eslint-parser'),
+  parserOptions: { ecmaVersion: 2022, sourceType: 'module' },
+});
+ruleTester.run('template-link-rel-noopener', rule, {
+  valid: ['<template><a href="/" target="_blank" rel="noopener noreferrer">Link</a></template>'],
+  invalid: [
+    {
+      code: '<template><a href="/" target="_blank">Link</a></template>',
+      output: '<template><a href="/" target="_blank" rel="noopener noreferrer">Link</a></template>',
+      errors: [{ messageId: 'missingRel' }],
+    },
+  ],
+});
