From 9964f1382fb9a8982289d7ef81ab5debed0cce52 Mon Sep 17 00:00:00 2001
From: Vykos <illjaesterhazy@gmail.com>
Date: Thu, 4 Jun 2026 20:52:41 +0200
Subject: [PATCH] Isolate HTML popup openers (#2501)

---
 static/js/codeRunner.js                 |  1 +
 static/js/compare/index.js              |  1 +
 tests/test_popup_opener_isolation_js.py | 37 +++++++++++++++++++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 tests/test_popup_opener_isolation_js.py

diff --git a/static/js/codeRunner.js b/static/js/codeRunner.js
index 76b67f9..d0336b9 100644
--- a/static/js/codeRunner.js
+++ b/static/js/codeRunner.js
@@ -362,6 +362,7 @@ export function runHTML(code, panel) {
     addCloseBtn(panel);
     return;
   }
+  try { win.opener = null; } catch (_) {}
   win.document.open();
   win.document.write(code);
   win.document.close();
diff --git a/static/js/compare/index.js b/static/js/compare/index.js
index e6c00ae..f372078 100644
--- a/static/js/compare/index.js
+++ b/static/js/compare/index.js
@@ -1090,6 +1090,7 @@ function _exportPrint() {
   // the system print dialog — user can pick "Save as PDF" from there.
   const w = window.open('', '_blank');
   if (!w) return;
+  try { w.opener = null; } catch (_) {}
   const escape = (s) => s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
   const html = '<!doctype html><meta charset="utf-8"><title>Compare export</title>' +
     '<style>body{font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif;max-width:780px;margin:32px auto;padding:0 24px;line-height:1.55;color:#222}' +
diff --git a/tests/test_popup_opener_isolation_js.py b/tests/test_popup_opener_isolation_js.py
new file mode 100644
index 0000000..ae9a342
--- /dev/null
+++ b/tests/test_popup_opener_isolation_js.py
@@ -0,0 +1,37 @@
+import re
+from pathlib import Path
+
+
+ROOT = Path(__file__).resolve().parents[1]
+
+
+def _source(path):
+    return (ROOT / path).read_text(encoding="utf-8")
+
+
+def test_html_code_runner_detaches_opener_before_document_write():
+    src = _source("static/js/codeRunner.js")
+    match = re.search(
+        r"export function runHTML\(code, panel\) \{(?P<body>.*?)showOutput\(panel, 'Opened in new window'",
+        src,
+        re.S,
+    )
+
+    assert match
+    body = match.group("body")
+    assert "win.opener = null" in body
+    assert body.index("win.opener = null") < body.index("win.document.write(code)")
+
+
+def test_compare_print_popup_detaches_opener_before_document_write():
+    src = _source("static/js/compare/index.js")
+    match = re.search(
+        r"function _exportPrint\(\) \{(?P<body>.*?)w\.document\.close\(\);",
+        src,
+        re.S,
+    )
+
+    assert match
+    body = match.group("body")
+    assert "w.opener = null" in body
+    assert body.index("w.opener = null") < body.index("w.document.write(html)")