More secure target blank links

2018-03-19 18:30:28 +01:00 · 2018-03-19 18:30:28 +01:00 · 632c5e3629
parent 9af61e8430
commit 632c5e3629
6 changed files with 18 additions and 15 deletions
--- a/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html
+++ b/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html
@ -19,13 +19,13 @@
    <tr>
      <td>{{ videoAbuse.reason }}</td>
      <td>
-        <a [href]="videoAbuse.reporterAccount.url" title="Go to the account" target="_blank">
+        <a [href]="videoAbuse.reporterAccount.url" title="Go to the account" target="_blank" rel="noopener noreferrer">
          {{ createByString(videoAbuse.reporterAccount) }}
        </a>
      </td>
      <td>{{ videoAbuse.createdAt }}</td>
      <td>
-        <a [href]="videoAbuse.video.url" title="Go to the video" target="_blank">
+        <a [href]="videoAbuse.video.url" title="Go to the video" target="_blank" rel="noopener noreferrer">
          {{ videoAbuse.video.name }}
        </a>
      </td>
--- a/client/src/app/shared/misc/help.component.ts
+++ b/client/src/app/shared/misc/help.component.ts
@ -46,7 +46,8 @@ export class HelpComponent implements OnInit {
  }

  private formatMarkdownSupport (rules: string[]) {
-    return '<a href="https://en.wikipedia.org/wiki/Markdown#Example" target="_blank">Markdown</a> compatible that supports:' +
+    return '<a href="https://en.wikipedia.org/wiki/Markdown#Example" target="_blank" rel="noopener noreferrer">Markdown</a> ' +
+      'compatible that supports:' +
      this.createMarkdownList(rules)
  }

--- a/client/src/app/videos/+video-watch/comment/video-comment.component.html
+++ b/client/src/app/videos/+video-watch/comment/video-comment.component.html
@ -5,7 +5,7 @@
    <div *ngIf="highlightedComment === true" class="highlighted-comment">Highlighted comment</div>

    <div class="comment-account-date">
-      <a target="_blank" [href]="comment.account.url" class="comment-account">{{ comment.by }}</a>
+      <a [href]="comment.account.url"  target="_blank" rel="noopener noreferrer" class="comment-account">{{ comment.by }}</a>
      <a [routerLink]="['/videos/watch', video.uuid, { 'threadId': comment.threadId }]" class="comment-date">{{ comment.createdAt | myFromNow }}</a>
    </div>
    <div class="comment-html" [innerHTML]="sanitizedCommentHTML"></div>
--- a/client/src/app/videos/+video-watch/comment/video-comment.component.ts
+++ b/client/src/app/videos/+video-watch/comment/video-comment.component.ts
@ -107,7 +107,8 @@ export class VideoCommentComponent implements OnInit, OnChanges {
          return {
            tagName,
            attribs: Object.assign(attribs, {
-              target: '_blank'
+              target: '_blank',
+              rel: 'noopener noreferrer'
            })
          }
        }
--- a/client/src/app/videos/+video-watch/video-watch.component.html
+++ b/client/src/app/videos/+video-watch/video-watch.component.html
@ -183,7 +183,7 @@
    <strong>Friendly Reminder:</strong>
    <div class="privacy-concerns-text">
      The sharing system used by this video implies that some technical information about your system (such as a public IP address) can be accessed publicly.
-      <a title="Get more information" target="_blank" href="/about#p2p-privacy">More information</a>
+      <a title="Get more information" target="_blank" rel="noopener noreferrer" href="/about#p2p-privacy">More information</a>
    </div>

    <div class="privacy-concerns-okay" (click)="acceptedPrivacyConcern()">
--- a/client/src/app/videos/shared/markdown.service.ts
+++ b/client/src/app/videos/shared/markdown.service.ts
@ -52,18 +52,19 @@ export class MarkdownService {
      return self.renderToken(tokens, idx, options)
    }

-    markdownIt.renderer.rules.link_open = function (tokens, idx, options, env, self) {
-      // If you are sure other plugins can't add `target` - drop check below
-      const aIndex = tokens[idx].attrIndex('target')
+    markdownIt.renderer.rules.link_open = function (tokens, index, options, env, self) {
+      const token = tokens[index]

-      if (aIndex < 0) {
-        tokens[idx].attrPush(['target', '_blank']) // add new attribute
-      } else {
-        tokens[idx].attrs[aIndex][1] = '_blank'    // replace value of existing attr
-      }
+      const targetIndex = token.attrIndex('target')
+      if (targetIndex < 0) token.attrPush([ 'target', '_blank' ])
+      else token.attrs[targetIndex][1] = '_blank'
+
+      const relIndex = token.attrIndex('rel')
+      if (relIndex < 0) token.attrPush([ 'rel', 'noopener noreferrer' ])
+      else token.attrs[relIndex][1] = 'noopener noreferrer'

      // pass token to default renderer.
-      return defaultRender(tokens, idx, options, env, self)
+      return defaultRender(tokens, index, options, env, self)
    }
  }