When we generate links from URL's in messages, we add rel="nofollow" to combat link spam. This change turns that into rel="nofollow noopener". This prevents the page at the end of the link from having access to the roundup window that displays the link. Details on the issue are are at: https://mathiasbynens.github.io/rel-noopener/ search web for noopener vulnerability. This problem usually requires a target="_blank" to really exploit it and we don't provide that. But adding noopener is extra protection.

def audit_html_files(db, cl, nodeid, newvalues):
    if 'type' in newvalues and newvalues['type'] == 'text/html':
        newvalues['type'] = 'text/plain'
    

def init(db):
    db.file.audit('set', audit_html_files)
    db.file.audit('create', audit_html_files)