Always stop event propagation for click on the link generated from markdown. (#1039)

Co-authored-by: Jesús Espino <jespinog@gmail.com>
Co-authored-by: Hossein <hahmadia@users.noreply.github.com>
Co-authored-by: Harshil Sharma <harshilsharma63@gmail.com>

webapp/src/utils.test.ts

@@ -25,7 +25,7 @@ describe('utils', () => {
 
     describe('htmlFromMarkdown', () => {
         test('should not allow XSS on links href on the webapp', () => {
-            expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe('<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" ></a></p>')
+            expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe('<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" onclick="event.stopPropagation();"></a></p>')
         })
 
         test('should not allow XSS on links href on the desktop app', () => {

webapp/src/utils.ts

@@ -151,7 +151,7 @@ class Utils {
                 'rel="noreferrer" ' +
                 `href="${encodeURI(href || '')}" ` +
                 `title="${title ? encodeURI(title) : ''}" ` +
-                ((window as any).openInNewBrowser ? 'onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(event.target.href);"' : '') +
+                `onclick="event.stopPropagation();${((window as any).openInNewBrowser ? ' openInNewBrowser && openInNewBrowser(event.target.href);' : '')}"` +
             '>' + contents + '</a>'
         }
         const html = marked(text.replace(/</g, '&lt;'), {renderer, breaks: true})