keeweb
/
keeweb
mirror of https://github.com/keeweb/keeweb.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Add rel=noreferrer to links in the URL field 

When opened from the webapp, a malicious target page could trigger
navigation in the KeeWeb's tab using `window.opener`.

The proper way to fix this would be using `rel=noopener`, but
unfortunately even the latest versions of IE do not support it.
At the same time `rel=noreferrer`, for historical reasons, implies
`rel=noopener` when used with `target=blank` and is supported
by IE11 (in later versions of Windows 10) and Edge.

More details and examples of the attack
at [Mathias Bynens' website](https://mathiasbynens.github.io/rel-noopener/).
This commit is contained in:
sainaen 2017-07-24 23:34:01 +03:00
parent b730cbdc02
commit 7a99e42bde
No known key found for this signature in database
GPG Key ID: B07989D8986AC565
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/scripts/views/fields/field-view-url.js
View File

@ -4,7 +4,7 @@ const FieldViewUrl = FieldViewText.extend({
displayUrlRegex: /^http:\/\//i,
renderValue: function(value) {
return value ? '<a href="' + _.escape(this.fixUrl(value)) + '" target="_blank">' + _.escape(this.displayUrl(value)) + '</a>' : '';
return value ? '<a href="' + _.escape(this.fixUrl(value)) + '" rel="noreferrer" target="_blank">' + _.escape(this.displayUrl(value)) + '</a>' : '';
},
fixUrl: function(url) {