mirror of https://github.com/keeweb/keeweb.git
Add rel=noreferrer to links in the URL field
When opened from the webapp, a malicious target page could trigger navigation in the KeeWeb's tab using `window.opener`. The proper way to fix this would be using `rel=noopener`, but unfortunately even the latest versions of IE do not support it. At the same time `rel=noreferrer`, for historical reasons, implies `rel=noopener` when used with `target=blank` and is supported by IE11 (in later versions of Windows 10) and Edge. More details and examples of the attack at [Mathias Bynens' website](https://mathiasbynens.github.io/rel-noopener/).
This commit is contained in:
parent
b730cbdc02
commit
7a99e42bde
|
@ -4,7 +4,7 @@ const FieldViewUrl = FieldViewText.extend({
|
|||
displayUrlRegex: /^http:\/\//i,
|
||||
|
||||
renderValue: function(value) {
|
||||
return value ? '<a href="' + _.escape(this.fixUrl(value)) + '" target="_blank">' + _.escape(this.displayUrl(value)) + '</a>' : '';
|
||||
return value ? '<a href="' + _.escape(this.fixUrl(value)) + '" rel="noreferrer" target="_blank">' + _.escape(this.displayUrl(value)) + '</a>' : '';
|
||||
},
|
||||
|
||||
fixUrl: function(url) {
|
||||
|
|
Loading…
Reference in New Issue