fix: anchor tag safety (via #4789)

* v3.17.6

* release(3.17.6): rebuild dist

* add failing tests

* fix Link component

* fix OnlineValidatorBadge component

* switch from <a> to <Link> in operation components

* make Markdown inputs safe

* use Link component in Info block, for target safety

* add eslint rule for unsafe `target` usage

test/xss/anchor-target-rel/link.js

@@ -0,0 +1,44 @@
+/* eslint-env mocha */
+import React from "react"
+import expect from "expect"
+import { render } from "enzyme"
+import { fromJS } from "immutable"
+import { Link } from "components/layout-utils"
+
+describe("<Link/> Anchor Target Safety", function () {
+  const dummyComponent = () => null
+  const components = {
+    Link
+  }
+  const baseProps = {
+    getComponent: c => components[c] || dummyComponent
+  }
+
+  it("renders regular links with `noreferrer` and `noopener`", function () {
+    const props = {
+      ...baseProps,
+      href: "http://google.com/"
+    }
+    let wrapper = render(<Link {...props} />)
+    const anchor = wrapper.find("a")
+
+    expect(anchor.attr("href")).toEqual("http://google.com/")
+    expect(anchor.attr("rel") || "").toInclude("noopener")
+    expect(anchor.attr("rel") || "").toInclude("noreferrer")
+  })
+
+  it("enforces `noreferrer` and `noopener` on target=_blank links", function () {
+    const props = {
+      ...baseProps,
+      href: "http://google.com/",
+      target: "_blank"
+    }
+    let wrapper = render(<Link {...props} />)
+    const anchor = wrapper.find("a")
+
+    expect(anchor.attr("href")).toEqual("http://google.com/")
+    expect(anchor.attr("target")).toEqual("_blank")
+    expect(anchor.attr("rel") || "").toInclude("noopener")
+    expect(anchor.attr("rel") || "").toInclude("noreferrer")
+  })
+})