More secure target blank links

author: Chocobozzz <me@florianbigard.com> 2018-03-19 18:30:28 +0100
committer: Chocobozzz <me@florianbigard.com> 2018-03-19 18:30:28 +0100
commit: 632c5e3629c2432371bb6339ad883208bff64ac2 (patch)
tree: 4f82091729030ded18b888d5ed3524f49d701b11 /client/src/app/videos/shared
parent: 9af61e84309c23ffbfd7562435a5fadd86cdf20c (diff)
download: PeerTube-632c5e3629c2432371bb6339ad883208bff64ac2.tar.gz
PeerTube-632c5e3629c2432371bb6339ad883208bff64ac2.tar.zst
PeerTube-632c5e3629c2432371bb6339ad883208bff64ac2.zip
1 files changed, 10 insertions, 9 deletions
diff --git a/client/src/app/videos/shared/markdown.service.ts b/client/src/app/videos/shared/markdown.service.ts
index 9d73efa46..dd8ff20d8 100644
--- a/client/src/app/videos/shared/markdown.service.ts
+++ b/client/src/app/videos/shared/markdown.service.ts
@@ -52,18 +52,19 @@ export class MarkdownService {
      return self.renderToken(tokens, idx, options)
    }
-    markdownIt.renderer.rules.link_open = function (tokens, idx, options, env, self) {
+    markdownIt.renderer.rules.link_open = function (tokens, index, options, env, self) {
-      // If you are sure other plugins can't add `target` - drop check below
+      const token = tokens[index]
-      const aIndex = tokens[idx].attrIndex('target')
-      if (aIndex < 0) {
+      const targetIndex = token.attrIndex('target')
-        tokens[idx].attrPush(['target', '_blank']) // add new attribute
+      if (targetIndex < 0) token.attrPush([ 'target', '_blank' ])
-      } else {
+      else token.attrs[targetIndex][1] = '_blank'
-        tokens[idx].attrs[aIndex][1] = '_blank'    // replace value of existing attr
-      }
+      const relIndex = token.attrIndex('rel')
+      if (relIndex < 0) token.attrPush([ 'rel', 'noopener noreferrer' ])
+      else token.attrs[relIndex][1] = 'noopener noreferrer'
      // pass token to default renderer.
-      return defaultRender(tokens, idx, options, env, self)
+      return defaultRender(tokens, index, options, env, self)
    }
  }
author	Chocobozzz <me@florianbigard.com>	2018-03-19 18:30:28 +0100
committer	Chocobozzz <me@florianbigard.com>	2018-03-19 18:30:28 +0100
commit	632c5e3629c2432371bb6339ad883208bff64ac2 (patch)
tree	4f82091729030ded18b888d5ed3524f49d701b11 /client/src/app/videos/shared
parent	9af61e84309c23ffbfd7562435a5fadd86cdf20c (diff)
download	PeerTube-632c5e3629c2432371bb6339ad883208bff64ac2.tar.gz PeerTube-632c5e3629c2432371bb6339ad883208bff64ac2.tar.zst PeerTube-632c5e3629c2432371bb6339ad883208bff64ac2.zip

diff --git a/client/src/app/videos/shared/markdown.service.ts b/client/src/app/videos/shared/markdown.service.ts index 9d73efa46..dd8ff20d8 100644 --- a/client/src/app/videos/shared/markdown.service.ts +++ b/client/src/app/videos/shared/markdown.service.ts
@@ -52,18 +52,19 @@ export class MarkdownService {
52	return self.renderToken(tokens, idx, options)	52	return self.renderToken(tokens, idx, options)
53	}	53	}
54		54
55	markdownIt.renderer.rules.link_open = function (tokens, idx, options, env, self) {	55	markdownIt.renderer.rules.link_open = function (tokens, index, options, env, self) {
56	// If you are sure other plugins can't add `target` - drop check below	56	const token = tokens[index]
57	const aIndex = tokens[idx].attrIndex('target')
58		57
59	if (aIndex < 0) {	58	const targetIndex = token.attrIndex('target')
60	tokens[idx].attrPush(['target', '_blank']) // add new attribute	59	if (targetIndex < 0) token.attrPush([ 'target', '_blank' ])
61	} else {	60	else token.attrs[targetIndex][1] = '_blank'
62	tokens[idx].attrs[aIndex][1] = '_blank' // replace value of existing attr	61
63	}	62	const relIndex = token.attrIndex('rel')
		63	if (relIndex < 0) token.attrPush([ 'rel', 'noopener noreferrer' ])
		64	else token.attrs[relIndex][1] = 'noopener noreferrer'
64		65
65	// pass token to default renderer.	66	// pass token to default renderer.
66	return defaultRender(tokens, idx, options, env, self)	67	return defaultRender(tokens, index, options, env, self)
67	}	68	}
68	}	69	}
69		70