Skip to content

Commit f104586

Browse files
bajtosbajtos
committed
fix: anchor tag safety
Setting target="_blank" on anchor tags is unsafe unless used in conjunction with rel="noopener". This is a back-port of dd3afdc (#4789) to fix the problem in version 2.x. Signed-off-by: Miroslav Bajtoš <[email protected]>
1 parent c7439c7 commit f104586

File tree

2 files changed

+9
-9
lines changed

2 files changed

+9
-9
lines changed

src/main/template/main.handlebars

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,11 @@
66
<p>{{{sanitize externalDocs.description}}}</p>
77
<a href="{{{escape externalDocs.url}}}" target="_blank">{{{escape externalDocs.url}}}</a>
88
{{/if}}
9-
{{#if info.termsOfServiceUrl}}<div class="info_tos"><a target="_blank" href="{{{escape info.termsOfServiceUrl}}}" data-sw-translate>Terms of service</a></div>{{/if}}
9+
{{#if info.termsOfServiceUrl}}<div class="info_tos"><a target="_blank" rel="noopener noreferrer" href="{{{escape info.termsOfServiceUrl}}}" data-sw-translate>Terms of service</a></div>{{/if}}
1010
{{#if info.contact.name}}<div><div class='info_name' style="display: inline" data-sw-translate>Created by </div> {{{escape info.contact.name}}}</div>{{/if}}
11-
{{#if info.contact.url}}<div class='info_url' data-sw-translate>See more at <a href="{{{escape info.contact.url}}}">{{{escape info.contact.url}}}</a></div>{{/if}}
11+
{{#if info.contact.url}}<div class='info_url' data-sw-translate>See more at <a target="_blank" rel="noopener noreferrer" href="{{{escape info.contact.url}}}">{{{escape info.contact.url}}}</a></div>{{/if}}
1212
{{#if info.contact.email}}<div class='info_email'><a target="_parent" href="mailto:{{{escape info.contact.email}}}?subject={{{escape info.title}}}" data-sw-translate>Contact the developer</a></div>{{/if}}
13-
{{#if info.license}}<div class='info_license'><a target="_blank" href='{{{escape info.license.url}}}'>{{{escape info.license.name}}}</a></div>{{/if}}
13+
{{#if info.license}}<div class='info_license'><a target="_blank" rel="noopener noreferrer" href='{{{escape info.license.url}}}'>{{{escape info.license.name}}}</a></div>{{/if}}
1414
{{/if}}
1515
</div>
1616
<div class='container' id='resources_container'>
@@ -24,7 +24,7 @@
2424
, <span style="font-variant: small-caps" data-sw-translate>api version</span>: {{{escape info.version}}}
2525
{{/if}}]
2626
{{#if validatorUrl}}
27-
<span style="float:right"><a target="_blank" href="{{{escape validatorUrl}}}/debug?url={{{escape url}}}"><img id="validator" src="{{{escape validatorUrl}}}?url={{{escape url}}}"></a>
27+
<span style="float:right"><a target="_blank" rel="noopener noreferrer" href="{{{escape validatorUrl}}}/debug?url={{{escape url}}}"><img id="validator" src="{{{escape validatorUrl}}}?url={{{escape url}}}"></a>
2828
</span>
2929
{{/if}}
3030
</h4>

src/main/template/templates.js

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -141,13 +141,13 @@ templates['main'] = template({"1":function(container,depth0,helpers,partials,dat
141141
+ ((stack1 = (helpers.sanitize || (depth0 && depth0.sanitize) || alias2).call(alias1,((stack1 = (depth0 != null ? depth0.externalDocs : depth0)) != null ? stack1.description : stack1),{"name":"sanitize","hash":{},"data":data})) != null ? stack1 : "")
142142
+ "</p>\n <a href=\""
143143
+ ((stack1 = (helpers.escape || (depth0 && depth0.escape) || alias2).call(alias1,((stack1 = (depth0 != null ? depth0.externalDocs : depth0)) != null ? stack1.url : stack1),{"name":"escape","hash":{},"data":data})) != null ? stack1 : "")
144-
+ "\" target=\"_blank\">"
144+
+ "\" target=\"_blank\" rel=\"noopener noreferrer\">"
145145
+ ((stack1 = (helpers.escape || (depth0 && depth0.escape) || alias2).call(alias1,((stack1 = (depth0 != null ? depth0.externalDocs : depth0)) != null ? stack1.url : stack1),{"name":"escape","hash":{},"data":data})) != null ? stack1 : "")
146146
+ "</a>\n";
147147
},"4":function(container,depth0,helpers,partials,data) {
148148
var stack1;
149149

150-
return "<div class=\"info_tos\"><a target=\"_blank\" href=\""
150+
return "<div class=\"info_tos\"><a target=\"_blank\" rel=\"noopener noreferrer\" href=\""
151151
+ ((stack1 = (helpers.escape || (depth0 && depth0.escape) || helpers.helperMissing).call(depth0 != null ? depth0 : {},((stack1 = (depth0 != null ? depth0.info : depth0)) != null ? stack1.termsOfServiceUrl : stack1),{"name":"escape","hash":{},"data":data})) != null ? stack1 : "")
152152
+ "\" data-sw-translate>Terms of service</a></div>";
153153
},"6":function(container,depth0,helpers,partials,data) {
@@ -159,7 +159,7 @@ templates['main'] = template({"1":function(container,depth0,helpers,partials,dat
159159
},"8":function(container,depth0,helpers,partials,data) {
160160
var stack1, alias1=depth0 != null ? depth0 : {}, alias2=helpers.helperMissing;
161161

162-
return "<div class='info_url' data-sw-translate>See more at <a href=\""
162+
return "<div class='info_url' data-sw-translate>See more at <a target=\"_blank\" rel=\"noopener noreferrer\" href=\""
163163
+ ((stack1 = (helpers.escape || (depth0 && depth0.escape) || alias2).call(alias1,((stack1 = ((stack1 = (depth0 != null ? depth0.info : depth0)) != null ? stack1.contact : stack1)) != null ? stack1.url : stack1),{"name":"escape","hash":{},"data":data})) != null ? stack1 : "")
164164
+ "\">"
165165
+ ((stack1 = (helpers.escape || (depth0 && depth0.escape) || alias2).call(alias1,((stack1 = ((stack1 = (depth0 != null ? depth0.info : depth0)) != null ? stack1.contact : stack1)) != null ? stack1.url : stack1),{"name":"escape","hash":{},"data":data})) != null ? stack1 : "")
@@ -175,7 +175,7 @@ templates['main'] = template({"1":function(container,depth0,helpers,partials,dat
175175
},"12":function(container,depth0,helpers,partials,data) {
176176
var stack1, alias1=depth0 != null ? depth0 : {}, alias2=helpers.helperMissing;
177177

178-
return "<div class='info_license'><a target=\"_blank\" href='"
178+
return "<div class='info_license'><a target=\"_blank\" rel=\"noopener noreferrer\" href='"
179179
+ ((stack1 = (helpers.escape || (depth0 && depth0.escape) || alias2).call(alias1,((stack1 = ((stack1 = (depth0 != null ? depth0.info : depth0)) != null ? stack1.license : stack1)) != null ? stack1.url : stack1),{"name":"escape","hash":{},"data":data})) != null ? stack1 : "")
180180
+ "'>"
181181
+ ((stack1 = (helpers.escape || (depth0 && depth0.escape) || alias2).call(alias1,((stack1 = ((stack1 = (depth0 != null ? depth0.info : depth0)) != null ? stack1.license : stack1)) != null ? stack1.name : stack1),{"name":"escape","hash":{},"data":data})) != null ? stack1 : "")
@@ -189,7 +189,7 @@ templates['main'] = template({"1":function(container,depth0,helpers,partials,dat
189189
},"16":function(container,depth0,helpers,partials,data) {
190190
var stack1, alias1=depth0 != null ? depth0 : {}, alias2=helpers.helperMissing;
191191

192-
return " <span style=\"float:right\"><a target=\"_blank\" href=\""
192+
return " <span style=\"float:right\"><a target=\"_blank\" rel=\"noopener noreferrer\" href=\""
193193
+ ((stack1 = (helpers.escape || (depth0 && depth0.escape) || alias2).call(alias1,(depth0 != null ? depth0.validatorUrl : depth0),{"name":"escape","hash":{},"data":data})) != null ? stack1 : "")
194194
+ "/debug?url="
195195
+ ((stack1 = (helpers.escape || (depth0 && depth0.escape) || alias2).call(alias1,(depth0 != null ? depth0.url : depth0),{"name":"escape","hash":{},"data":data})) != null ? stack1 : "")

0 commit comments

Comments
 (0)