Isolate HTML popup openers (#2501)

static/js/codeRunner.js

@@ -362,6 +362,7 @@ export function runHTML(code, panel) {
     addCloseBtn(panel);
     return;
   }
+  try { win.opener = null; } catch (_) {}
   win.document.open();
   win.document.write(code);
   win.document.close();

static/js/compare/index.js

@@ -1090,6 +1090,7 @@ function _exportPrint() {
   // the system print dialog — user can pick "Save as PDF" from there.
   const w = window.open('', '_blank');
   if (!w) return;
+  try { w.opener = null; } catch (_) {}
   const escape = (s) => s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
   const html = '<!doctype html><meta charset="utf-8"><title>Compare export</title>' +
     '<style>body{font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif;max-width:780px;margin:32px auto;padding:0 24px;line-height:1.55;color:#222}' +

tests/test_popup_opener_isolation_js.py

@@ -0,0 +1,37 @@
+import re
+from pathlib import Path
+
+
+ROOT = Path(__file__).resolve().parents[1]
+
+
+def _source(path):
+    return (ROOT / path).read_text(encoding="utf-8")
+
+
+def test_html_code_runner_detaches_opener_before_document_write():
+    src = _source("static/js/codeRunner.js")
+    match = re.search(
+        r"export function runHTML\(code, panel\) \{(?P<body>.*?)showOutput\(panel, 'Opened in new window'",
+        src,
+        re.S,
+    )
+
+    assert match
+    body = match.group("body")
+    assert "win.opener = null" in body
+    assert body.index("win.opener = null") < body.index("win.document.write(code)")
+
+
+def test_compare_print_popup_detaches_opener_before_document_write():
+    src = _source("static/js/compare/index.js")
+    match = re.search(
+        r"function _exportPrint\(\) \{(?P<body>.*?)w\.document\.close\(\);",
+        src,
+        re.S,
+    )
+
+    assert match
+    body = match.group("body")
+    assert "w.opener = null" in body
+    assert body.index("w.opener = null") < body.index("w.document.write(html)")