aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2018-03-19 18:30:28 +0100
committerChocobozzz <me@florianbigard.com>2018-03-19 18:30:28 +0100
commit632c5e3629c2432371bb6339ad883208bff64ac2 (patch)
tree4f82091729030ded18b888d5ed3524f49d701b11
parent9af61e84309c23ffbfd7562435a5fadd86cdf20c (diff)
downloadPeerTube-632c5e3629c2432371bb6339ad883208bff64ac2.tar.gz
PeerTube-632c5e3629c2432371bb6339ad883208bff64ac2.tar.zst
PeerTube-632c5e3629c2432371bb6339ad883208bff64ac2.zip
More secure target blank links
-rw-r--r--client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html4
-rw-r--r--client/src/app/shared/misc/help.component.ts3
-rw-r--r--client/src/app/videos/+video-watch/comment/video-comment.component.html2
-rw-r--r--client/src/app/videos/+video-watch/comment/video-comment.component.ts3
-rw-r--r--client/src/app/videos/+video-watch/video-watch.component.html2
-rw-r--r--client/src/app/videos/shared/markdown.service.ts19
6 files changed, 18 insertions, 15 deletions
diff --git a/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html b/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html
index fcbdc6147..13a5b1117 100644
--- a/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html
+++ b/client/src/app/+admin/video-abuses/video-abuse-list/video-abuse-list.component.html
@@ -19,13 +19,13 @@
19 <tr> 19 <tr>
20 <td>{{ videoAbuse.reason }}</td> 20 <td>{{ videoAbuse.reason }}</td>
21 <td> 21 <td>
22 <a [href]="videoAbuse.reporterAccount.url" title="Go to the account" target="_blank"> 22 <a [href]="videoAbuse.reporterAccount.url" title="Go to the account" target="_blank" rel="noopener noreferrer">
23 {{ createByString(videoAbuse.reporterAccount) }} 23 {{ createByString(videoAbuse.reporterAccount) }}
24 </a> 24 </a>
25 </td> 25 </td>
26 <td>{{ videoAbuse.createdAt }}</td> 26 <td>{{ videoAbuse.createdAt }}</td>
27 <td> 27 <td>
28 <a [href]="videoAbuse.video.url" title="Go to the video" target="_blank"> 28 <a [href]="videoAbuse.video.url" title="Go to the video" target="_blank" rel="noopener noreferrer">
29 {{ videoAbuse.video.name }} 29 {{ videoAbuse.video.name }}
30 </a> 30 </a>
31 </td> 31 </td>
diff --git a/client/src/app/shared/misc/help.component.ts b/client/src/app/shared/misc/help.component.ts
index a4a223cd6..19ac38b58 100644
--- a/client/src/app/shared/misc/help.component.ts
+++ b/client/src/app/shared/misc/help.component.ts
@@ -46,7 +46,8 @@ export class HelpComponent implements OnInit {
46 } 46 }
47 47
48 private formatMarkdownSupport (rules: string[]) { 48 private formatMarkdownSupport (rules: string[]) {
49 return '<a href="https://en.wikipedia.org/wiki/Markdown#Example" target="_blank">Markdown</a> compatible that supports:' + 49 return '<a href="https://en.wikipedia.org/wiki/Markdown#Example" target="_blank" rel="noopener noreferrer">Markdown</a> ' +
50 'compatible that supports:' +
50 this.createMarkdownList(rules) 51 this.createMarkdownList(rules)
51 } 52 }
52 53
diff --git a/client/src/app/videos/+video-watch/comment/video-comment.component.html b/client/src/app/videos/+video-watch/comment/video-comment.component.html
index 831ea0521..8a649e88f 100644
--- a/client/src/app/videos/+video-watch/comment/video-comment.component.html
+++ b/client/src/app/videos/+video-watch/comment/video-comment.component.html
@@ -5,7 +5,7 @@
5 <div *ngIf="highlightedComment === true" class="highlighted-comment">Highlighted comment</div> 5 <div *ngIf="highlightedComment === true" class="highlighted-comment">Highlighted comment</div>
6 6
7 <div class="comment-account-date"> 7 <div class="comment-account-date">
8 <a target="_blank" [href]="comment.account.url" class="comment-account">{{ comment.by }}</a> 8 <a [href]="comment.account.url" target="_blank" rel="noopener noreferrer" class="comment-account">{{ comment.by }}</a>
9 <a [routerLink]="['/videos/watch', video.uuid, { 'threadId': comment.threadId }]" class="comment-date">{{ comment.createdAt | myFromNow }}</a> 9 <a [routerLink]="['/videos/watch', video.uuid, { 'threadId': comment.threadId }]" class="comment-date">{{ comment.createdAt | myFromNow }}</a>
10 </div> 10 </div>
11 <div class="comment-html" [innerHTML]="sanitizedCommentHTML"></div> 11 <div class="comment-html" [innerHTML]="sanitizedCommentHTML"></div>
diff --git a/client/src/app/videos/+video-watch/comment/video-comment.component.ts b/client/src/app/videos/+video-watch/comment/video-comment.component.ts
index cfcefed83..26fc9d0b8 100644
--- a/client/src/app/videos/+video-watch/comment/video-comment.component.ts
+++ b/client/src/app/videos/+video-watch/comment/video-comment.component.ts
@@ -107,7 +107,8 @@ export class VideoCommentComponent implements OnInit, OnChanges {
107 return { 107 return {
108 tagName, 108 tagName,
109 attribs: Object.assign(attribs, { 109 attribs: Object.assign(attribs, {
110 target: '_blank' 110 target: '_blank',
111 rel: 'noopener noreferrer'
111 }) 112 })
112 } 113 }
113 } 114 }
diff --git a/client/src/app/videos/+video-watch/video-watch.component.html b/client/src/app/videos/+video-watch/video-watch.component.html
index 6a7da0614..6c7fc08e1 100644
--- a/client/src/app/videos/+video-watch/video-watch.component.html
+++ b/client/src/app/videos/+video-watch/video-watch.component.html
@@ -183,7 +183,7 @@
183 <strong>Friendly Reminder:</strong> 183 <strong>Friendly Reminder:</strong>
184 <div class="privacy-concerns-text"> 184 <div class="privacy-concerns-text">
185 The sharing system used by this video implies that some technical information about your system (such as a public IP address) can be accessed publicly. 185 The sharing system used by this video implies that some technical information about your system (such as a public IP address) can be accessed publicly.
186 <a title="Get more information" target="_blank" href="/about#p2p-privacy">More information</a> 186 <a title="Get more information" target="_blank" rel="noopener noreferrer" href="/about#p2p-privacy">More information</a>
187 </div> 187 </div>
188 188
189 <div class="privacy-concerns-okay" (click)="acceptedPrivacyConcern()"> 189 <div class="privacy-concerns-okay" (click)="acceptedPrivacyConcern()">
diff --git a/client/src/app/videos/shared/markdown.service.ts b/client/src/app/videos/shared/markdown.service.ts
index 9d73efa46..dd8ff20d8 100644
--- a/client/src/app/videos/shared/markdown.service.ts
+++ b/client/src/app/videos/shared/markdown.service.ts
@@ -52,18 +52,19 @@ export class MarkdownService {
52 return self.renderToken(tokens, idx, options) 52 return self.renderToken(tokens, idx, options)
53 } 53 }
54 54
55 markdownIt.renderer.rules.link_open = function (tokens, idx, options, env, self) { 55 markdownIt.renderer.rules.link_open = function (tokens, index, options, env, self) {
56 // If you are sure other plugins can't add `target` - drop check below 56 const token = tokens[index]
57 const aIndex = tokens[idx].attrIndex('target')
58 57
59 if (aIndex < 0) { 58 const targetIndex = token.attrIndex('target')
60 tokens[idx].attrPush(['target', '_blank']) // add new attribute 59 if (targetIndex < 0) token.attrPush([ 'target', '_blank' ])
61 } else { 60 else token.attrs[targetIndex][1] = '_blank'
62 tokens[idx].attrs[aIndex][1] = '_blank' // replace value of existing attr 61
63 } 62 const relIndex = token.attrIndex('rel')
63 if (relIndex < 0) token.attrPush([ 'rel', 'noopener noreferrer' ])
64 else token.attrs[relIndex][1] = 'noopener noreferrer'
64 65
65 // pass token to default renderer. 66 // pass token to default renderer.
66 return defaultRender(tokens, idx, options, env, self) 67 return defaultRender(tokens, index, options, env, self)
67 } 68 }
68 } 69 }
69 70