diff options
author | Chocobozzz <me@florianbigard.com> | 2018-03-19 18:30:28 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-03-19 18:30:28 +0100 |
commit | 632c5e3629c2432371bb6339ad883208bff64ac2 (patch) | |
tree | 4f82091729030ded18b888d5ed3524f49d701b11 | |
parent | 9af61e84309c23ffbfd7562435a5fadd86cdf20c (diff) | |
download | PeerTube-632c5e3629c2432371bb6339ad883208bff64ac2.tar.gz PeerTube-632c5e3629c2432371bb6339ad883208bff64ac2.tar.zst PeerTube-632c5e3629c2432371bb6339ad883208bff64ac2.zip |
More secure target blank links
6 files changed, 18 insertions, 15 deletions
diff --git a/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html b/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html index fcbdc6147..13a5b1117 100644 --- a/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html +++ b/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html | |||
@@ -19,13 +19,13 @@ | |||
19 | <tr> | 19 | <tr> |
20 | <td>{{ videoAbuse.reason }}</td> | 20 | <td>{{ videoAbuse.reason }}</td> |
21 | <td> | 21 | <td> |
22 | <a [href]="videoAbuse.reporterAccount.url" title="Go to the account" target="_blank"> | 22 | <a [href]="videoAbuse.reporterAccount.url" title="Go to the account" target="_blank" rel="noopener noreferrer"> |
23 | {{ createByString(videoAbuse.reporterAccount) }} | 23 | {{ createByString(videoAbuse.reporterAccount) }} |
24 | </a> | 24 | </a> |
25 | </td> | 25 | </td> |
26 | <td>{{ videoAbuse.createdAt }}</td> | 26 | <td>{{ videoAbuse.createdAt }}</td> |
27 | <td> | 27 | <td> |
28 | <a [href]="videoAbuse.video.url" title="Go to the video" target="_blank"> | 28 | <a [href]="videoAbuse.video.url" title="Go to the video" target="_blank" rel="noopener noreferrer"> |
29 | {{ videoAbuse.video.name }} | 29 | {{ videoAbuse.video.name }} |
30 | </a> | 30 | </a> |
31 | </td> | 31 | </td> |
diff --git a/client/src/app/shared/misc/help.component.ts b/client/src/app/shared/misc/help.component.ts index a4a223cd6..19ac38b58 100644 --- a/client/src/app/shared/misc/help.component.ts +++ b/client/src/app/shared/misc/help.component.ts | |||
@@ -46,7 +46,8 @@ export class HelpComponent implements OnInit { | |||
46 | } | 46 | } |
47 | 47 | ||
48 | private formatMarkdownSupport (rules: string[]) { | 48 | private formatMarkdownSupport (rules: string[]) { |
49 | return '<a href="https://en.wikipedia.org/wiki/Markdown#Example" target="_blank">Markdown</a> compatible that supports:' + | 49 | return '<a href="https://en.wikipedia.org/wiki/Markdown#Example" target="_blank" rel="noopener noreferrer">Markdown</a> ' + |
50 | 'compatible that supports:' + | ||
50 | this.createMarkdownList(rules) | 51 | this.createMarkdownList(rules) |
51 | } | 52 | } |
52 | 53 | ||
diff --git a/client/src/app/videos/+video-watch/comment/video-comment.component.html b/client/src/app/videos/+video-watch/comment/video-comment.component.html index 831ea0521..8a649e88f 100644 --- a/client/src/app/videos/+video-watch/comment/video-comment.component.html +++ b/client/src/app/videos/+video-watch/comment/video-comment.component.html | |||
@@ -5,7 +5,7 @@ | |||
5 | <div *ngIf="highlightedComment === true" class="highlighted-comment">Highlighted comment</div> | 5 | <div *ngIf="highlightedComment === true" class="highlighted-comment">Highlighted comment</div> |
6 | 6 | ||
7 | <div class="comment-account-date"> | 7 | <div class="comment-account-date"> |
8 | <a target="_blank" [href]="comment.account.url" class="comment-account">{{ comment.by }}</a> | 8 | <a [href]="comment.account.url" target="_blank" rel="noopener noreferrer" class="comment-account">{{ comment.by }}</a> |
9 | <a [routerLink]="['/videos/watch', video.uuid, { 'threadId': comment.threadId }]" class="comment-date">{{ comment.createdAt | myFromNow }}</a> | 9 | <a [routerLink]="['/videos/watch', video.uuid, { 'threadId': comment.threadId }]" class="comment-date">{{ comment.createdAt | myFromNow }}</a> |
10 | </div> | 10 | </div> |
11 | <div class="comment-html" [innerHTML]="sanitizedCommentHTML"></div> | 11 | <div class="comment-html" [innerHTML]="sanitizedCommentHTML"></div> |
diff --git a/client/src/app/videos/+video-watch/comment/video-comment.component.ts b/client/src/app/videos/+video-watch/comment/video-comment.component.ts index cfcefed83..26fc9d0b8 100644 --- a/client/src/app/videos/+video-watch/comment/video-comment.component.ts +++ b/client/src/app/videos/+video-watch/comment/video-comment.component.ts | |||
@@ -107,7 +107,8 @@ export class VideoCommentComponent implements OnInit, OnChanges { | |||
107 | return { | 107 | return { |
108 | tagName, | 108 | tagName, |
109 | attribs: Object.assign(attribs, { | 109 | attribs: Object.assign(attribs, { |
110 | target: '_blank' | 110 | target: '_blank', |
111 | rel: 'noopener noreferrer' | ||
111 | }) | 112 | }) |
112 | } | 113 | } |
113 | } | 114 | } |
diff --git a/client/src/app/videos/+video-watch/video-watch.component.html b/client/src/app/videos/+video-watch/video-watch.component.html index 6a7da0614..6c7fc08e1 100644 --- a/client/src/app/videos/+video-watch/video-watch.component.html +++ b/client/src/app/videos/+video-watch/video-watch.component.html | |||
@@ -183,7 +183,7 @@ | |||
183 | <strong>Friendly Reminder:</strong> | 183 | <strong>Friendly Reminder:</strong> |
184 | <div class="privacy-concerns-text"> | 184 | <div class="privacy-concerns-text"> |
185 | The sharing system used by this video implies that some technical information about your system (such as a public IP address) can be accessed publicly. | 185 | The sharing system used by this video implies that some technical information about your system (such as a public IP address) can be accessed publicly. |
186 | <a title="Get more information" target="_blank" href="/about#p2p-privacy">More information</a> | 186 | <a title="Get more information" target="_blank" rel="noopener noreferrer" href="/about#p2p-privacy">More information</a> |
187 | </div> | 187 | </div> |
188 | 188 | ||
189 | <div class="privacy-concerns-okay" (click)="acceptedPrivacyConcern()"> | 189 | <div class="privacy-concerns-okay" (click)="acceptedPrivacyConcern()"> |
diff --git a/client/src/app/videos/shared/markdown.service.ts b/client/src/app/videos/shared/markdown.service.ts index 9d73efa46..dd8ff20d8 100644 --- a/client/src/app/videos/shared/markdown.service.ts +++ b/client/src/app/videos/shared/markdown.service.ts | |||
@@ -52,18 +52,19 @@ export class MarkdownService { | |||
52 | return self.renderToken(tokens, idx, options) | 52 | return self.renderToken(tokens, idx, options) |
53 | } | 53 | } |
54 | 54 | ||
55 | markdownIt.renderer.rules.link_open = function (tokens, idx, options, env, self) { | 55 | markdownIt.renderer.rules.link_open = function (tokens, index, options, env, self) { |
56 | // If you are sure other plugins can't add `target` - drop check below | 56 | const token = tokens[index] |
57 | const aIndex = tokens[idx].attrIndex('target') | ||
58 | 57 | ||
59 | if (aIndex < 0) { | 58 | const targetIndex = token.attrIndex('target') |
60 | tokens[idx].attrPush(['target', '_blank']) // add new attribute | 59 | if (targetIndex < 0) token.attrPush([ 'target', '_blank' ]) |
61 | } else { | 60 | else token.attrs[targetIndex][1] = '_blank' |
62 | tokens[idx].attrs[aIndex][1] = '_blank' // replace value of existing attr | 61 | |
63 | } | 62 | const relIndex = token.attrIndex('rel') |
63 | if (relIndex < 0) token.attrPush([ 'rel', 'noopener noreferrer' ]) | ||
64 | else token.attrs[relIndex][1] = 'noopener noreferrer' | ||
64 | 65 | ||
65 | // pass token to default renderer. | 66 | // pass token to default renderer. |
66 | return defaultRender(tokens, idx, options, env, self) | 67 | return defaultRender(tokens, index, options, env, self) |
67 | } | 68 | } |
68 | } | 69 | } |
69 | 70 | ||