7 files changed, 10 insertions, 6 deletions

diff --git a/server/sonar-webserver-api/p1.jar b/server/sonar-webserver-api/p1.jar
new file mode 100644
index 00000000000..e69de29bb2d
--- /dev/null
+++ b/server/sonar-webserver-api/p1.jar
diff --git a/server/sonar-webserver-api/p2.jar b/server/sonar-webserver-api/p2.jar
new file mode 100644
index 00000000000..e69de29bb2d
--- /dev/null
+++ b/server/sonar-webserver-api/p2.jar
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/LoginMessageActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/LoginMessageActionTest.java
index 60090a6bad6..08448c9f944 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/LoginMessageActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/LoginMessageActionTest.java
@@ -43,7 +43,7 @@ public class LoginMessageActionTest {
   private final LoginMessageAction underTest = new LoginMessageAction(dbClient, loginMessageFeature);
   private final WsActionTester ws = new WsActionTester(underTest);
   private static final String LOGIN_MESSAGE_TEXT = "test link [SonarQube™ Home Page](https://www.sonarqube.org)\n* list 1\n* list 2";
-  private static final String FORMATTED_LOGIN_MESSAGE_TEXT = "test link \\u003ca href\\u003d\\\"https://www.sonarqube.org\\\" target\\u003d\\\"_blank\\\"\\u003eSonarQube\\u0026trade; Home Page\\u003c/a\\u003e\\u003cbr/\\u003e\\u003cul\\u003e\\u003cli\\u003elist 1\\u003c/li\\u003e\\n\\u003cli\\u003elist 2\\u003c/li\\u003e\\u003c/ul\\u003e";
+  private static final String FORMATTED_LOGIN_MESSAGE_TEXT = "test link \\u003ca href\\u003d\\\"https://www.sonarqube.org\\\" target\\u003d\\\"_blank\\\" rel\\u003d\\\"noopener noreferrer\\\"\\u003eSonarQube\\u0026trade; Home Page\\u003c/a\\u003e\\u003cbr/\\u003e\\u003cul\\u003e\\u003cli\\u003elist 1\\u003c/li\\u003e\\n\\u003cli\\u003elist 2\\u003c/li\\u003e\\u003c/ul\\u003e";
   private static final String JSON_RESPONSE = "{\"message\":\"" + FORMATTED_LOGIN_MESSAGE_TEXT + "\"}";
   private static final String EMPTY_JSON_RESPONSE = "{\"message\":\"\"}";
   private PropertiesDao propertiesDao;
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/ValuesActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/ValuesActionTest.java
index 235be1d3c35..e82dfea34c7 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/ValuesActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/ValuesActionTest.java
@@ -124,7 +124,7 @@ public class ValuesActionTest {
     assertThat(value.getKey()).isEqualTo(propertyKey);
     assertThat(value.getValues().getValuesList())
       .hasSize(2)
-      .containsExactly("[link](https://link.com)", "<a href=\"https://link.com\" target=\"_blank\">link</a>");
+      .containsExactly("[link](https://link.com)", "<a href=\"https://link.com\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>");
   }
 
   @Test
diff --git a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlLinkChannel.java b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlLinkChannel.java
index cccae47ce95..66e88e15c5f 100644
--- a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlLinkChannel.java
+++ b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlLinkChannel.java
@@ -49,7 +49,7 @@ class HtmlLinkChannel extends RegexChannel<MarkdownOutput> {
     String url = matcher.group(2);
     output.append("<a href=\"");
     output.append(url);
-    output.append("\" target=\"_blank\">");
+    output.append("\" target=\"_blank\" rel=\"noopener noreferrer\">");
     output.append(content);
     output.append("</a>");
   }
diff --git a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlUrlChannel.java b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlUrlChannel.java
index 5aadee1a0fb..50424d4b0c3 100644
--- a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlUrlChannel.java
+++ b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlUrlChannel.java
@@ -33,6 +33,10 @@ class HtmlUrlChannel extends RegexChannel<MarkdownOutput> {
 
   @Override
   protected void consume(CharSequence token, MarkdownOutput output) {
-    output.append("<a href=\"" + token + "\" target=\"_blank\">" + token + "</a>");
+    output.append("<a href=\"");
+    output.append(token);
+    output.append("\" target=\"_blank\" rel=\"noopener noreferrer\">");
+    output.append(token);
+    output.append("</a>");
   }
 }
diff --git a/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java b/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java
index d0c64578bb2..b4838a12d8d 100644
--- a/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java
+++ b/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java
@@ -28,13 +28,13 @@ public class MarkdownTest {
   @Test
   public void shouldDecorateUrl() {
     assertThat(Markdown.convertToHtml("http://google.com"))
-        .isEqualTo("<a href=\"http://google.com\" target=\"_blank\">http://google.com</a>");
+        .isEqualTo("<a href=\"http://google.com\" target=\"_blank\" rel=\"noopener noreferrer\">http://google.com</a>");
   }
 
   @Test
   public void shouldDecorateDocumentedLink() {
     assertThat(Markdown.convertToHtml("For more details, please [check online documentation](http://docs.sonarqube.org/display/SONAR)."))
-        .isEqualTo("For more details, please <a href=\"http://docs.sonarqube.org/display/SONAR\" target=\"_blank\">check online documentation</a>.");
+        .isEqualTo("For more details, please <a href=\"http://docs.sonarqube.org/display/SONAR\" target=\"_blank\" rel=\"noopener noreferrer\">check online documentation</a>.");
   }