Merge branch 'fix-target-blank-vulnerability' into 'master'

Prevent target='_blank' vulnerability on dynamic link

This merge request refere to https://tt-rss.org/forum/viewtopic.php?f=8&t=4048

It fix the issue I enconter on some feeds I follow.
Just need to add "noopener" and "noreferrer" on "_blank" link to avoid the vulnerability.

See merge request !46
This commit is contained in:
Andrew Dolgov 2017-02-12 14:19:37 +03:00
commit 3891782cf5
6 changed files with 25 additions and 23 deletions

View file

@ -398,7 +398,7 @@ class Feeds extends Handler_Protected {
alt=\"Publish article\" onclick='togglePub($id)'>"; alt=\"Publish article\" onclick='togglePub($id)'>";
} }
# $content_link = "<a target=\"_blank\" href=\"".$line["link"]."\">" . # $content_link = "<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"".$line["link"]."\">" .
# $line["title"] . "</a>"; # $line["title"] . "</a>";
# $content_link = "<a # $content_link = "<a
@ -616,7 +616,7 @@ class Feeds extends Handler_Protected {
class=\"titleWrap $hlc_suffix\"> class=\"titleWrap $hlc_suffix\">
<a class=\"title $hlc_suffix\" <a class=\"title $hlc_suffix\"
title=\"".htmlspecialchars($line["title"])."\" title=\"".htmlspecialchars($line["title"])."\"
target=\"_blank\" href=\"". target=\"_blank\" rel=\"noopener noreferrer\" href=\"".
htmlspecialchars($line["link"])."\">". htmlspecialchars($line["link"])."\">".
$line["title"] . $line["title"] .
"</a> <span class=\"author\">$entry_author</span>"; "</a> <span class=\"author\">$entry_author</span>";
@ -691,13 +691,13 @@ class Feeds extends Handler_Protected {
$tmp_line = $this->dbh->fetch_assoc($tmp_result); $tmp_line = $this->dbh->fetch_assoc($tmp_result);
$reply['content'] .= "<a target='_blank' $reply['content'] .= "<a target='_blank' rel='noopener noreferrer'
href=' " . htmlspecialchars($tmp_line['site_url']) . "'>" . href=' " . htmlspecialchars($tmp_line['site_url']) . "'>" .
$tmp_line['title'] . "</a>"; $tmp_line['title'] . "</a>";
$reply['content'] .= "&nbsp;"; $reply['content'] .= "&nbsp;";
$reply['content'] .= "<a target='_blank' href='" . htmlspecialchars($tmp_line['feed_url']) . "'>"; $reply['content'] .= "<a target='_blank' rel='noopener noreferrer' href='" . htmlspecialchars($tmp_line['feed_url']) . "'>";
$reply['content'] .= "<img title='".__('Feed URL')."'class='tinyFeedIcon' src='images/pub_unset.png'></a>"; $reply['content'] .= "<img title='".__('Feed URL')."'class='tinyFeedIcon' src='images/pub_unset.png'></a>";
$reply['content'] .= "</div>"; $reply['content'] .= "</div>";
@ -746,12 +746,12 @@ class Feeds extends Handler_Protected {
$comments_url = htmlspecialchars($line["link"]); $comments_url = htmlspecialchars($line["link"]);
} }
$entry_comments = "<a class=\"postComments\" $entry_comments = "<a class=\"postComments\"
target='_blank' href=\"$comments_url\">$num_comments ". target='_blank' rel='noopener noreferrer' href=\"$comments_url\">$num_comments ".
_ngettext("comment", "comments", $num_comments)."</a>"; _ngettext("comment", "comments", $num_comments)."</a>";
} else { } else {
if ($line["comments"] && $line["link"] != $line["comments"]) { if ($line["comments"] && $line["link"] != $line["comments"]) {
$entry_comments = "<a class=\"postComments\" target='_blank' href=\"".htmlspecialchars($line["comments"])."\">".__("comments")."</a>"; $entry_comments = "<a class=\"postComments\" target='_blank' rel='noopener noreferrer' href=\"".htmlspecialchars($line["comments"])."\">".__("comments")."</a>";
} }
} }

View file

@ -776,7 +776,7 @@ class Pref_Prefs extends Handler_Protected {
print "<td><label><img src='images/$plugin_icon' alt=''> $name</label></td>"; print "<td><label><img src='images/$plugin_icon' alt=''> $name</label></td>";
print "<td>" . htmlspecialchars($about[1]); print "<td>" . htmlspecialchars($about[1]);
if (@$about[4]) { if (@$about[4]) {
print " &mdash; <a target=\"_blank\" class=\"visibleLink\" print " &mdash; <a target=\"_blank\" rel=\"noopener noreferrer\" class=\"visibleLink\"
href=\"".htmlspecialchars($about[4])."\">".__("more info")."</a>"; href=\"".htmlspecialchars($about[4])."\">".__("more info")."</a>";
} }
print "</td>"; print "</td>";
@ -835,7 +835,7 @@ class Pref_Prefs extends Handler_Protected {
print "<td><label for='FPCHK-$name'><img src='images/$plugin_icon' alt=''> $name</label></td>"; print "<td><label for='FPCHK-$name'><img src='images/$plugin_icon' alt=''> $name</label></td>";
print "<td><label for='FPCHK-$name'>" . htmlspecialchars($about[1]) . "</label>"; print "<td><label for='FPCHK-$name'>" . htmlspecialchars($about[1]) . "</label>";
if (@$about[4]) { if (@$about[4]) {
print " &mdash; <a target=\"_blank\" class=\"visibleLink\" print " &mdash; <a target=\"_blank\" rel=\"noopener noreferrer\" class=\"visibleLink\"
href=\"".htmlspecialchars($about[4])."\">".__("more info")."</a>"; href=\"".htmlspecialchars($about[4])."\">".__("more info")."</a>";
} }
print "</td>"; print "</td>";

View file

@ -59,12 +59,12 @@
$class = ($feedctr % 2) ? "even" : "odd"; $class = ($feedctr % 2) ? "even" : "odd";
$site_url = "<a target=\"_blank\" $site_url = "<a target=\"_blank\" rel=\"noopener noreferrer\"
href=\"$site_url\"> href=\"$site_url\">
<span class=\"fb_feedTitle\">". <span class=\"fb_feedTitle\">".
htmlspecialchars($line["title"])."</span></a>"; htmlspecialchars($line["title"])."</span></a>";
$feed_url = "<a target=\"_blank\" class=\"fb_feedUrl\" $feed_url = "<a target=\"_blank\" rel=\"noopener noreferrer\" class=\"fb_feedUrl\"
href=\"$feed_url\"><img src='images/pub_set.png' href=\"$feed_url\"><img src='images/pub_set.png'
style='vertical-align : middle'></a>"; style='vertical-align : middle'></a>";
@ -87,12 +87,12 @@
$archived = ''; $archived = '';
} }
$site_url = "<a target=\"_blank\" $site_url = "<a target=\"_blank\" rel=\"noopener noreferrer\"
href=\"$site_url\"> href=\"$site_url\">
<span class=\"fb_feedTitle\">". <span class=\"fb_feedTitle\">".
htmlspecialchars($line["title"])."</span></a>"; htmlspecialchars($line["title"])."</span></a>";
$feed_url = "<a target=\"_blank\" class=\"fb_feedUrl\" $feed_url = "<a target=\"_blank\" rel=\"noopener noreferrer\" class=\"fb_feedUrl\"
href=\"$feed_url\"><img src='images/pub_set.png' href=\"$feed_url\"><img src='images/pub_set.png'
style='vertical-align : middle'></a>"; style='vertical-align : middle'></a>";

View file

@ -955,6 +955,7 @@
$a->appendChild(new DOMText($entry->getAttribute('src'))); $a->appendChild(new DOMText($entry->getAttribute('src')));
$a->setAttribute('target', '_blank'); $a->setAttribute('target', '_blank');
$a->setAttribute('rel', 'noopener noreferrer');
$p->appendChild($a); $p->appendChild($a);
@ -964,6 +965,7 @@
if (strtolower($entry->nodeName) == "a") { if (strtolower($entry->nodeName) == "a") {
$entry->setAttribute("target", "_blank"); $entry->setAttribute("target", "_blank");
$entry->setAttribute("rel", "noopener noreferrer");
} }
} }
@ -1249,7 +1251,7 @@
</object>"; </object>";
} }
if ($entry) $entry .= "&nbsp; <a target=\"_blank\" if ($entry) $entry .= "&nbsp; <a target=\"_blank\" rel=\"noopener noreferrer\"
href=\"$url\">" . basename($url) . "</a>"; href=\"$url\">" . basename($url) . "</a>";
return $entry; return $entry;
@ -1260,7 +1262,7 @@
/* $filename = substr($url, strrpos($url, "/")+1); /* $filename = substr($url, strrpos($url, "/")+1);
$entry .= " <a target=\"_blank\" href=\"" . htmlspecialchars($url) . "\">" . $entry .= " <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"" . htmlspecialchars($url) . "\">" .
$filename . " (" . $ctype . ")" . "</a>"; */ $filename . " (" . $ctype . ")" . "</a>"; */
} }
@ -1332,12 +1334,12 @@
$comments_url = htmlspecialchars($line["link"]); $comments_url = htmlspecialchars($line["link"]);
} }
$entry_comments = "<a class=\"postComments\" $entry_comments = "<a class=\"postComments\"
target='_blank' href=\"$comments_url\">$num_comments ". target='_blank' rel=\"noopener noreferrer\" href=\"$comments_url\">$num_comments ".
_ngettext("comment", "comments", $num_comments)."</a>"; _ngettext("comment", "comments", $num_comments)."</a>";
} else { } else {
if ($line["comments"] && $line["link"] != $line["comments"]) { if ($line["comments"] && $line["link"] != $line["comments"]) {
$entry_comments = "<a class=\"postComments\" target='_blank' href=\"".htmlspecialchars($line["comments"])."\">".__("comments")."</a>"; $entry_comments = "<a class=\"postComments\" target='_blank' rel=\"noopener noreferrer\" href=\"".htmlspecialchars($line["comments"])."\">".__("comments")."</a>";
} }
} }
@ -1373,7 +1375,7 @@
$rv['content'] .= "<div class=\"postDate\">$parsed_updated</div>"; $rv['content'] .= "<div class=\"postDate\">$parsed_updated</div>";
if ($line["link"]) { if ($line["link"]) {
$rv['content'] .= "<div class='postTitle'><a target='_blank' $rv['content'] .= "<div class='postTitle'><a target='_blank' rel='noopener noreferrer'
title=\"".htmlspecialchars($line['title'])."\" title=\"".htmlspecialchars($line['title'])."\"
href=\"" . href=\"" .
htmlspecialchars($line["link"]) . "\">" . htmlspecialchars($line["link"]) . "\">" .
@ -1442,13 +1444,13 @@
$tmp_line = db_fetch_assoc($tmp_result); $tmp_line = db_fetch_assoc($tmp_result);
$rv['content'] .= "<a target='_blank' $rv['content'] .= "<a target='_blank' rel='noopener noreferrer'
href=' " . htmlspecialchars($tmp_line['site_url']) . "'>" . href=' " . htmlspecialchars($tmp_line['site_url']) . "'>" .
$tmp_line['title'] . "</a>"; $tmp_line['title'] . "</a>";
$rv['content'] .= "&nbsp;"; $rv['content'] .= "&nbsp;";
$rv['content'] .= "<a target='_blank' href='" . htmlspecialchars($tmp_line['feed_url']) . "'>"; $rv['content'] .= "<a target='_blank' rel='noopener noreferrer' href='" . htmlspecialchars($tmp_line['feed_url']) . "'>";
$rv['content'] .= "<img title='".__('Feed URL')."' class='tinyFeedIcon' src='images/pub_set.png'></a>"; $rv['content'] .= "<img title='".__('Feed URL')."' class='tinyFeedIcon' src='images/pub_set.png'></a>";
$rv['content'] .= "</div>"; $rv['content'] .= "</div>";
@ -1957,7 +1959,7 @@
if ($player) array_push($entries_inline, $player); if ($player) array_push($entries_inline, $player);
# $entry .= " <a target=\"_blank\" href=\"" . htmlspecialchars($url) . "\">" . # $entry .= " <a target=\"_blank\" href=\"" . htmlspecialchars($url) . "\" rel=\"noopener noreferrer\">" .
# $filename . " (" . $ctype . ")" . "</a>"; # $filename . " (" . $ctype . ")" . "</a>";
$entry = "<div onclick=\"openUrlPopup('".htmlspecialchars($url)."')\" $entry = "<div onclick=\"openUrlPopup('".htmlspecialchars($url)."')\"
@ -2005,7 +2007,7 @@
src=\"" .htmlspecialchars($entry["url"]) . "\" src=\"" .htmlspecialchars($entry["url"]) . "\"
" . $encsize . " /></p>"; " . $encsize . " /></p>";
} else { } else {
$rv .= "<p><a target=\"_blank\" $rv .= "<p><a target=\"_blank\" rel=\"noopener noreferrer\"
href=\"".htmlspecialchars($entry["url"])."\" href=\"".htmlspecialchars($entry["url"])."\"
>" .htmlspecialchars($entry["url"]) . "</a></p>"; >" .htmlspecialchars($entry["url"]) . "</a></p>";
} }

View file

@ -85,7 +85,7 @@ class Af_Psql_Trgm extends Plugin {
style='vertical-align : middle'>"; style='vertical-align : middle'>";
$article_link = htmlspecialchars($line["link"]); $article_link = htmlspecialchars($line["link"]);
print " <a target=\"_blank\" href=\"$article_link\">". print " <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"$article_link\">".
$line["title"]."</a>"; $line["title"]."</a>";
print " (<a href=\"#\" onclick=\"viewfeed({feed:".$line["feed_id"]."})\">". print " (<a href=\"#\" onclick=\"viewfeed({feed:".$line["feed_id"]."})\">".

View file

@ -100,7 +100,7 @@ class Share extends Plugin {
$url_path .= "/public.php?op=share&key=$uuid"; $url_path .= "/public.php?op=share&key=$uuid";
print "<div class=\"tagCloudContainer\">"; print "<div class=\"tagCloudContainer\">";
print "<a id='gen_article_url' href='$url_path' target='_blank'>$url_path</a>"; print "<a id='gen_article_url' href='$url_path' target='_blank' rel='noopener noreferrer'>$url_path</a>";
print "</div>"; print "</div>";
/* if (!label_find_id(__('Shared'), $_SESSION["uid"])) /* if (!label_find_id(__('Shared'), $_SESSION["uid"]))