Skip to content

Commit 75a23fe

Browse files
committed
Add rel="noopener" to target="_blank" links
The noopener construct protects from some nasty clickjacking attacks. We can apply them savely to all our links since we don't rely on the previously used page. Some more details: https://mathiasbynens.github.io/rel-noopener/ Signed-off-by: Sheogorath <[email protected]>
1 parent d9ba11b commit 75a23fe

File tree

5 files changed

+15
-13
lines changed

5 files changed

+15
-13
lines changed

public/js/extra.js

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -570,7 +570,9 @@ export function postProcess (code) {
570570
$(value).html(html)
571571
})
572572
// link should open in new window or tab
573-
result.find('a:not([href^="#"]):not([target])').attr('target', '_blank')
573+
// also add noopener to prevent clickjacking
574+
// See details: https://mathiasbynens.github.io/rel-noopener/
575+
result.find('a:not([href^="#"]):not([target])').attr('target', '_blank').attr('rel', 'noopener')
574576
// update continue line numbers
575577
const linenumberdivs = result.find('.gutter.linenumber').toArray()
576578
for (let i = 0; i < linenumberdivs.length; i++) {

public/views/codimd/body.ejs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,7 @@
113113
</div>
114114
<div class="modal-body" style="color:black;">
115115
<h5></h5>
116-
<a target="_blank" style="word-break: break-all;"></a>
116+
<a target="_blank" rel="noopener" style="word-break: break-all;"></a>
117117
</div>
118118
<div class="modal-footer">
119119
<button type="button" class="btn btn-default" data-dismiss="modal"><%= __('OK') %></button>

public/views/codimd/header.ejs

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -22,23 +22,23 @@
2222
<i class="fa fa-caret-down"></i>
2323
</a>
2424
<ul class="dropdown-menu list" role="menu" aria-labelledby="menu">
25-
<li role="presentation"><a role="menuitem" class="ui-new" tabindex="-1" href="<%- url %>/new" target="_blank"><i class="fa fa-plus fa-fw"></i> <%= __('New') %></a>
25+
<li role="presentation"><a role="menuitem" class="ui-new" tabindex="-1" href="<%- url %>/new" target="_blank" rel="noopener"><i class="fa fa-plus fa-fw"></i> <%= __('New') %></a>
2626
</li>
27-
<li role="presentation"><a role="menuitem" class="ui-publish" tabindex="-1" href="#" target="_blank"><i class="fa fa-share-square-o fa-fw"></i> <%= __('Publish') %></a>
27+
<li role="presentation"><a role="menuitem" class="ui-publish" tabindex="-1" href="#" target="_blank" rel="noopener"><i class="fa fa-share-square-o fa-fw"></i> <%= __('Publish') %></a>
2828
</li>
2929
<li class="divider"></li>
3030
<li class="dropdown-header"><%= __('Extra') %></li>
3131
<li role="presentation"><a role="menuitem" class="ui-extra-revision" tabindex="-1" data-toggle="modal" data-target="#revisionModal"><i class="fa fa-history fa-fw"></i> <%= __('Revision') %></a>
3232
</li>
33-
<li role="presentation"><a role="menuitem" class="ui-extra-slide" tabindex="-1" href="#" target="_blank"><i class="fa fa-tv fa-fw"></i> <%= __('Slide Mode') %></a>
33+
<li role="presentation"><a role="menuitem" class="ui-extra-slide" tabindex="-1" href="#" target="_blank" rel="noopener"><i class="fa fa-tv fa-fw"></i> <%= __('Slide Mode') %></a>
3434
</li>
3535
<% if((typeof github !== 'undefined' && github) || (typeof dropbox !== 'undefined' && dropbox) || (typeof gitlab !== 'undefined' && gitlab && (!gitlab.scope || gitlab.scope === 'api'))) { %>
3636
<li class="divider"></li>
3737
<li class="dropdown-header"><%= __('Export') %></li>
3838
<li role="presentation"><a role="menuitem" class="ui-save-dropbox" tabindex="-1" href="#" target="_self"><i class="fa fa-dropbox fa-fw"></i> Dropbox</a>
3939
</li>
4040
<% if(typeof github !== 'undefined' && github) { %>
41-
<li role="presentation"><a role="menuitem" class="ui-save-gist" tabindex="-1" href="#" target="_blank"><i class="fa fa-github fa-fw"></i> Gist</a>
41+
<li role="presentation"><a role="menuitem" class="ui-save-gist" tabindex="-1" href="#" target="_blank" rel="noopener"><i class="fa fa-github fa-fw"></i> Gist</a>
4242
</li>
4343
<% } %>
4444
<% if(typeof gitlab !== 'undefined' && gitlab && (!gitlab.scope || gitlab.scope === 'api')) { %>
@@ -115,12 +115,12 @@
115115
</ul>
116116
<ul class="nav navbar-nav navbar-right" style="padding:0;">
117117
<li>
118-
<a href="<%- url %>/new" target="_blank" class="ui-new">
118+
<a href="<%- url %>/new" target="_blank" rel="noopener" class="ui-new">
119119
<i class="fa fa-plus"></i> <%= __('New') %>
120120
</a>
121121
</li>
122122
<li>
123-
<a href="#" target="_blank" class="ui-publish">
123+
<a href="#" target="_blank" rel="noopener" class="ui-publish">
124124
<i class="fa fa-share-square-o"></i> <%= __('Publish') %>
125125
</a>
126126
</li>
@@ -132,15 +132,15 @@
132132
<li class="dropdown-header"><%= __('Extra') %></li>
133133
<li role="presentation"><a role="menuitem" class="ui-extra-revision" tabindex="-1" data-toggle="modal" data-target="#revisionModal"><i class="fa fa-history fa-fw"></i> <%= __('Revision') %></a>
134134
</li>
135-
<li role="presentation"><a role="menuitem" class="ui-extra-slide" tabindex="-1" href="#" target="_blank"><i class="fa fa-tv fa-fw"></i> <%= __('Slide Mode') %></a>
135+
<li role="presentation"><a role="menuitem" class="ui-extra-slide" tabindex="-1" href="#" target="_blank" rel="noopener"><i class="fa fa-tv fa-fw"></i> <%= __('Slide Mode') %></a>
136136
</li>
137137
<% if((typeof github !== 'undefined' && github) || (typeof dropbox !== 'undefined' && dropbox) || (typeof gitlab !== 'undefined' && gitlab && (!gitlab.scope || gitlab.scope === 'api'))) { %>
138138
<li class="divider"></li>
139139
<li class="dropdown-header"><%= __('Export') %></li>
140140
<li role="presentation"><a role="menuitem" class="ui-save-dropbox" tabindex="-1" href="#" target="_self"><i class="fa fa-dropbox fa-fw"></i> Dropbox</a>
141141
</li>
142142
<% if(typeof github !== 'undefined' && github) { %>
143-
<li role="presentation"><a role="menuitem" class="ui-save-gist" tabindex="-1" href="#" target="_blank"><i class="fa fa-github fa-fw"></i> Gist</a>
143+
<li role="presentation"><a role="menuitem" class="ui-save-gist" tabindex="-1" href="#" target="_blank" rel="noopener"><i class="fa fa-github fa-fw"></i> Gist</a>
144144
</li>
145145
<% } %>
146146
<% if(typeof gitlab !== 'undefined' && gitlab && (!gitlab.scope || gitlab.scope === 'api')) { %>

public/views/index/body.ejs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -150,10 +150,10 @@
150150
<option value="id">Bahasa Indonesia</option>
151151
</select>
152152
<p>
153-
Powered by <a href="https://codimd.org">CodiMD</a> | <a href="<%- url %>/s/release-notes" target="_blank"><%= __('Releases') %></a><% if(privacyStatement) { %> | <a href="<%- url %>/s/privacy" target="_blank"><%= __('Privacy') %></a><% } %><% if(termsOfUse) { %> | <a href="<%- url %>/s/terms-of-use" target="_blank"><%= __('Terms of Use') %></a><% } %>
153+
Powered by <a href="https://codimd.org">CodiMD</a> | <a href="<%- url %>/s/release-notes" target="_blank" rel="noopener"><%= __('Releases') %></a><% if(privacyStatement) { %> | <a href="<%- url %>/s/privacy" target="_blank" rel="noopener"><%= __('Privacy') %></a><% } %><% if(termsOfUse) { %> | <a href="<%- url %>/s/terms-of-use" target="_blank" rel="noopener"><%= __('Terms of Use') %></a><% } %>
154154
</p>
155155
<h6 class="social-foot">
156-
<%- __('Follow us on %s and %s.', '<a href="https://github.com/hackmdio/CodiMD" target="_blank"><i class="fa fa-github"></i> GitHub</a>, <a href="https://riot.im/app/#/room/#codimd:matrix.org" target="_blank"><i class="fa fa-comments"></i> Riot</a>', '<a href="https://translate.codimd.org" target="_blank"><i class="fa fa-globe"></i> POEditor</a>') %>
156+
<%- __('Follow us on %s and %s.', '<a href="https://github.com/hackmdio/CodiMD" target="_blank" rel="noopener"><i class="fa fa-github"></i> GitHub</a>, <a href="https://riot.im/app/#/room/#codimd:matrix.org" target="_blank" rel="noopener"><i class="fa fa-comments"></i> Riot</a>', '<a href="https://translate.codimd.org" target="_blank" rel="noopener"><i class="fa fa-globe"></i> POEditor</a>') %>
157157
</h6>
158158
</div>
159159
</div>

public/views/shared/refresh-modal.ejs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
</div>
1515
<div class="new-version" style="display:none;">
1616
<h5><%= __('New version available!') %></h5>
17-
<a href="<%- url %>/s/release-notes" target="_blank"><%= __('See releases notes here') %></a>
17+
<a href="<%- url %>/s/release-notes" target="_blank" rel="noopener"><%= __('See releases notes here') %></a>
1818
<br>
1919
<strong><%= __('Refresh to enjoy new features.') %></strong>
2020
</div>

0 commit comments

Comments
 (0)