Use noreferrer when linkifying attachments and allow this value in purifier

lib/util.php

@@ -594,7 +594,7 @@ function common_purify($html, array $args=array())
      *
      * Source: http://microformats.org/wiki/rel
      */
-    $cfg->set('Attr.AllowedRel', ['bookmark', 'enclosure', 'nofollow', 'tag']);
+    $cfg->set('Attr.AllowedRel', ['bookmark', 'enclosure', 'nofollow', 'tag', 'noreferrer']);
     $cfg->set('HTML.ForbiddenAttributes', array('style'));  // id, on* etc. are already filtered by default
     $cfg->set('URI.AllowedSchemes', array_fill_keys(common_url_schemes(), true));
     if (isset($args['URI.Base'])) {
@@ -1140,6 +1140,15 @@ function common_linkify($url) {
         }
     }
 
+    // Whether to nofollow
+    $nf = common_config('nofollow', 'external');
+
+    if ($nf == 'never') {
+        $attrs['rel'] = 'external';
+    } else {
+        $attrs['rel'] = 'nofollow external';
+    }
+
     // Add clippy
     if ($is_attachment) {
         $attrs['class'] = 'attachment';
@@ -1147,16 +1156,7 @@ function common_linkify($url) {
             $attrs['class'] = 'attachment thumbnail';
         }
         $attrs['id'] = "attachment-{$attachment_id}";
-    }
+        $attrs['rel'] .= ' noreferrer';
-
-    // Whether to nofollow
-
-    $nf = common_config('nofollow', 'external');
-
-    if ($nf == 'never') {
-        $attrs['rel'] = 'external';
-    } else {
-        $attrs['rel'] = 'nofollow external';
     }
 
     return XMLStringer::estring('a', $attrs, $url);