SECURITY: Use rel="noopener" every time we use target="_blank" (#425

)
discourse · Apr 29, 2020 · 14249bd · 14249bd
1 parent d34fea3
commit 14249bd
Show file tree

Hide file tree

Showing 29 changed files with 53 additions and 53 deletions.
diff --git a/lib/onebox/engine/cloudapp_onebox.rb b/lib/onebox/engine/cloudapp_onebox.rb
@@ -25,7 +25,7 @@ def to_html
 
       def link_html(og)
         <<-HTML
-            <a href='#{og.url}' target='_blank'>
+            <a href='#{og.url}' target='_blank' rel='noopener'>
               #{og.title}
             </a>
           HTML
@@ -43,7 +43,7 @@ def video_html(og)
 
       def image_html(og)
         <<-HTML
-            <a href='#{og.url}' target='_blank' class='onebox'>
+            <a href='#{og.url}' target='_blank' class='onebox' rel='noopener'>
               <img src='#{og.image}' #{og.title_attr} alt='CloudApp' width='480'>
             </a>
           HTML

diff --git a/lib/onebox/engine/flickr_onebox.rb b/lib/onebox/engine/flickr_onebox.rb
@@ -26,7 +26,7 @@ def album_html(og)
 
         <<-HTML
             <div class='onebox flickr-album'>
-              <a href='#{escaped_url}' target='_blank'>
+              <a href='#{escaped_url}' target='_blank' rel='noopener'>
                 <span class='outer-box' style='max-width:#{og.image_width}px'>
                   <span class='inner-box'>
                     <span class='album-title'>#{album_title}</span>
@@ -42,7 +42,7 @@ def image_html(og)
         escaped_url = ::Onebox::Helpers.normalize_url_for_output(url)
 
         <<-HTML
-            <a href='#{escaped_url}' target='_blank' class="onebox">
+            <a href='#{escaped_url}' target='_blank' rel='noopener' class="onebox">
               <img src='#{og.get_secure_image}' #{og.title_attr} alt='Imgur' height='#{og.image_height}' width='#{og.image_width}'>
             </a>
           HTML

diff --git a/lib/onebox/engine/giphy_onebox.rb b/lib/onebox/engine/giphy_onebox.rb
@@ -13,7 +13,7 @@ def to_html
         oembed = get_oembed
 
         <<-HTML
-          <a href="#{oembed.url}" target="_blank" class="onebox">
+          <a href="#{oembed.url}" target="_blank" rel="noopener" class="onebox">
             <img src="#{oembed.url}" width="#{oembed.width}" height="#{oembed.height}" #{oembed.title_attr}>
           </a>
         HTML

diff --git a/lib/onebox/engine/google_photos_onebox.rb b/lib/onebox/engine/google_photos_onebox.rb
@@ -33,7 +33,7 @@ def album_html(og)
 
         <<-HTML
             <div class='onebox google-photos-album'>
-              <a href='#{escaped_url}' target='_blank'>
+              <a href='#{escaped_url}' target='_blank' rel='noopener'>
                 <span class='outer-box' style='width:#{og.image_width}px'>
                   <span class='inner-box'>
                     <span class='album-title'>#{Onebox::Helpers.truncate(album_title, 80)}</span>
@@ -49,7 +49,7 @@ def image_html(og)
         escaped_url = ::Onebox::Helpers.normalize_url_for_output(url)
 
         <<-HTML
-            <a href='#{escaped_url}' target='_blank' class="onebox">
+            <a href='#{escaped_url}' target='_blank' rel='noopener' class="onebox">
               <img src='#{og.get_secure_image}' #{og.title_attr} alt='Google Photos' height='#{og.image_height}' width='#{og.image_width}'>
             </a>
           HTML

diff --git a/lib/onebox/engine/image_onebox.rb b/lib/onebox/engine/image_onebox.rb
@@ -19,7 +19,7 @@ def to_html
 
         escaped_url = ::Onebox::Helpers.normalize_url_for_output(@url)
         <<-HTML
-          <a href="#{escaped_url}" target="_blank" class="onebox">
+          <a href="#{escaped_url}" target="_blank" rel="noopener" class="onebox">
             <img src="#{escaped_url}">
           </a>
         HTML

diff --git a/lib/onebox/engine/imgur_onebox.rb b/lib/onebox/engine/imgur_onebox.rb
@@ -34,7 +34,7 @@ def album_html(og)
 
         <<-HTML
             <div class='onebox imgur-album'>
-              <a href='#{escaped_url}' target='_blank'>
+              <a href='#{escaped_url}' target='_blank' rel='noopener'>
                 <span class='outer-box' style='width:#{og.image_width}px'>
                   <span class='inner-box'>
                     <span class='album-title'>#{album_title}</span>
@@ -57,7 +57,7 @@ def image_html(og)
         escaped_url = ::Onebox::Helpers.normalize_url_for_output(url)
 
         <<-HTML
-            <a href='#{escaped_url}' target='_blank' class="onebox">
+            <a href='#{escaped_url}' target='_blank' rel='noopener' class="onebox">
               <img src='#{og.get_secure_image}' #{og.title_attr} alt='Imgur' height='#{og.image_height}' width='#{og.image_width}'>
             </a>
           HTML

diff --git a/spec/lib/onebox/engine/google_drive_onebox_spec.rb b/spec/lib/onebox/engine/google_drive_onebox_spec.rb
@@ -11,7 +11,7 @@
   end
 
   it "includes title" do
-    expect(html).to include('<a href="https://drive.google.com/file/d/1FgMt06wENEUfC6_-1tImXaNCH7vM9QsA/view" target="_blank">test.txt</a>')
+    expect(html).to include('<a href="https://drive.google.com/file/d/1FgMt06wENEUfC6_-1tImXaNCH7vM9QsA/view" target="_blank" rel="noopener">test.txt</a>')
   end
 
   it "includes image" do

diff --git a/spec/lib/onebox/engine/instagram_onebox_spec.rb b/spec/lib/onebox/engine/instagram_onebox_spec.rb
@@ -11,7 +11,7 @@
   end
 
   it "includes title" do
-    expect(html).to include('<a href="https://www.instagram.com/p/BgSPalMjddb/" target="_blank">National Geographic</a>')
+    expect(html).to include('<a href="https://www.instagram.com/p/BgSPalMjddb/" target="_blank" rel="noopener">National Geographic</a>')
   end
 
   it "includes image" do

diff --git a/templates/_layout.mustache b/templates/_layout.mustache
@@ -4,10 +4,10 @@
       <img src="{{favicon}}" class="site-icon"/>
     {{/favicon}}
     {{#article_published_time}}
-      <a href="{{link}}" target='_blank' title="{{article_published_time_title}}">{{domain}} &ndash; {{article_published_time}}</a>
+      <a href="{{link}}" target='_blank' rel='noopener' title="{{article_published_time_title}}">{{domain}} &ndash; {{article_published_time}}</a>
     {{/article_published_time}}
     {{^article_published_time}}
-      <a href="{{link}}" target='_blank'>{{domain}}</a>
+      <a href="{{link}}" target='_blank' rel='noopener'>{{domain}}</a>
     {{/article_published_time}}
   </header>
   <article class="onebox-body">

diff --git a/templates/amazon.mustache b/templates/amazon.mustache
@@ -1,6 +1,6 @@
 {{#image}}<img src="{{image}}" class="thumbnail"/>{{/image}}
 
-<h3><a href='{{link}}' target='_blank'>{{title}}</a></h3>
+<h3><a href='{{link}}' target='_blank' rel='noopener'>{{title}}</a></h3>
 {{#by_info}}<b>{{by_info}}</b>{{/by_info}}
 <p>{{description}}</p>
 <p>

diff --git a/templates/githubblob.mustache b/templates/githubblob.mustache
@@ -1,4 +1,4 @@
-<h4><a href="{{link}}" target="_blank">{{title}}</a></h4>
+<h4><a href="{{link}}" target="_blank" rel="noopener">{{title}}</a></h4>
 {{^has_lines}}
 {{#model_file}}
 <iframe class="render-viewer" width="{{width}}" height="{{height}}" src="{{content}}" sandbox="allow-scripts allow-same-origin allow-top-navigation ">
@@ -40,5 +40,5 @@ pre.onebox code li.selected{
 {{/has_lines}}
 
 {{#truncated}}
-  This file has been truncated. <a href="{{link}}" target="_blank">show original</a>
+  This file has been truncated. <a href="{{link}}" target="_blank" rel="noopener">show original</a>
 {{/truncated}}
diff --git a/templates/githubcommit.mustache b/templates/githubcommit.mustache
@@ -5,7 +5,7 @@
 
   <div class="github-info-container">
     <h4>
-      <a href="{{html_url}}" target="_blank">{{title}}</a>
+      <a href="{{html_url}}" target="_blank" rel="noopener">{{title}}</a>
     </h4>
 
     <div class="github-info">
@@ -14,15 +14,15 @@
       </div>
 
       <div class="user">
-        <a href="{{author.html_url}}" target="_blank">
+        <a href="{{author.html_url}}" target="_blank" rel="noopener">
           <img alt="{{author.login}}" src="{{author.avatar_url}}" class="onebox-avatar-inline" width="20" height="20">
           {{author.login}}
         </a>
 
       </div>
 
       <div class="lines" title="changed {{files.length}} files with {{stats.additions}} additions and {{stats.deletions}} deletions">
-        <a href="{{html_url}}" target="_blank">
+        <a href="{{html_url}}" target="_blank" rel="noopener">
           <span class="added">+{{stats.additions}}</span>
           <span class="removed">-{{stats.deletions}}</span>
         </a>

diff --git a/templates/githubgist.mustache b/templates/githubgist.mustache
@@ -1,12 +1,12 @@
-<h4><a href="{{link}}" target="_blank">{{link}}</a></h4>
+<h4><a href="{{link}}" target="_blank" rel="noopener">{{link}}</a></h4>
 {{#gist_files}}
 <h5>{{filename}}</h5>
 <pre><code class='{{language}}'>{{content}}</code></pre>
-{{#truncated?}}This file has been truncated. <a href="{{link}}" target="_blank">show original</a>{{/truncated?}}
+{{#truncated?}}This file has been truncated. <a href="{{link}}" target="_blank" rel="noopener">show original</a>{{/truncated?}}
 {{/gist_files}}
 
 <p>
 {{#truncated_files?}}
-  There are more than three files. <a href="{{link}}" target="_blank">show original</a>
+  There are more than three files. <a href="{{link}}" target="_blank" rel="noopener">show original</a>
 {{/truncated_files?}}
 </p>
diff --git a/templates/githubissue.mustache b/templates/githubissue.mustache
@@ -5,7 +5,7 @@
 
   <div class="github-info-container">
     <h4>
-      <a href="{{link}}" target="_blank">{{title}}</a>
+      <a href="{{link}}" target="_blank" rel="noopener">{{title}}</a>
     </h4>
 
     <div class="github-info">
@@ -20,7 +20,7 @@
       {{/closed_at}}
 
       <div class="user">
-        <a href="{{user.html_url}}" target="_blank">
+        <a href="{{user.html_url}}" target="_blank" rel="noopener">
           <img alt="{{user.login}}" src="{{user.avatar_url}}" class="onebox-avatar-inline" width="20" height="20">
           {{user.login}}
         </a>

diff --git a/templates/githubpullrequest.mustache b/templates/githubpullrequest.mustache
@@ -5,7 +5,7 @@
 
   <div class="github-info-container">
     <h4>
-      <a href="{{html_url}}" target="_blank">{{title}}</a>
+      <a href="{{html_url}}" target="_blank" rel="noopener">{{title}}</a>
     </h4>
 
     <div class="branches">
@@ -18,19 +18,19 @@
       </div>
 
       <div class="user">
-        <a href="{{user.html_url}}" target="_blank">
+        <a href="{{user.html_url}}" target="_blank" rel="noopener">
           <img alt="{{user.login}}" src="{{user.avatar_url}}" class="onebox-avatar-inline" width="20" height="20">
           {{user.login}}
         </a>
       </div>
 
       <div class="lines" title="{{commits}} commits changed {{changed_files}} files with {{additions}} additions and {{deletions}} deletions">
-        <a href="{{html_url}}/files" target="_blank">
+        <a href="{{html_url}}/files" target="_blank" rel="noopener">
           <span class="added">+{{additions}}</span>
           <span class="removed">-{{deletions}}</span>
         </a>
       </div>
     </div>
 
   </div>
-</div>
+</div>
diff --git a/templates/gitlabblob.mustache b/templates/gitlabblob.mustache
@@ -1,4 +1,4 @@
-<h4><a href="{{link}}" target="_blank">{{title}}</a></h4>
+<h4><a href="{{link}}" target="_blank" rel="noopener">{{title}}</a></h4>
 {{^has_lines}}
 <pre><code class='{{lang}}'>{{content}}</code></pre>
 {{/has_lines}}
@@ -10,5 +10,5 @@
 {{/has_lines}}
 
 {{#truncated}}
-  This file has been truncated. <a href="{{link}}" target="_blank">show original</a>
+  This file has been truncated. <a href="{{link}}" target="_blank" rel="noopener">show original</a>
 {{/truncated}}
diff --git a/templates/googledocs.mustache b/templates/googledocs.mustache
@@ -1,5 +1,5 @@
-<a href='{{link}}' target="_blank"><span class='googledocs-onebox-logo g-{{type}}-logo'></span></a>
+<a href='{{link}}' target="_blank" rel="noopener"><span class='googledocs-onebox-logo g-{{type}}-logo'></span></a>
 
-<h3><a href='{{link}}' target="_blank">{{title}}</a></h3>
+<h3><a href='{{link}}' target="_blank" rel="noopener">{{title}}</a></h3>
 
 <p>{{description}}</p>
diff --git a/templates/googledrive.mustache b/templates/googledrive.mustache
@@ -1,9 +1,9 @@
 {{^image}}
-  <a href='{{link}}' target="_blank"><span class='googledocs-onebox-logo g-drive-logo'></span></a>
+  <a href='{{link}}' target="_blank" rel="noopener"><span class='googledocs-onebox-logo g-drive-logo'></span></a>
 {{/image}}
 
 {{#image}}<img src="{{image}}" class="thumbnail"/>{{/image}}
 
-<h3><a href="{{link}}" target="_blank">{{title}}</a></h3>
+<h3><a href="{{link}}" target="_blank" rel="noopener">{{title}}</a></h3>
 
 <p>{{description}}</p>
diff --git a/templates/instagram.mustache b/templates/instagram.mustache
@@ -1,8 +1,8 @@
-<h3><a href="{{{link}}}" target="_blank">{{title}}</a></h3>
+<h3><a href="{{{link}}}" target="_blank" rel="noopener">{{title}}</a></h3>
 
 {{#image}}
   <div class="instagram-images">
-    {{#video_link}} <a href="{{{video_link}}}" target="_blank"> {{/video_link}}
+    {{#video_link}} <a href="{{{video_link}}}" target="_blank" rel="noopener"> {{/video_link}}
       <img class="instagram-image" src="{{{image}}}"/>
     {{#video_link}} <span class="instagram-video-icon"></span></a> {{/video_link}}
   </div>

diff --git a/templates/pastebin.mustache b/templates/pastebin.mustache
@@ -1,3 +1,3 @@
-<h4><a href="{{link}}" target="_blank">{{link}}</a></h4>
+<h4><a href="{{link}}" target="_blank" rel="noopener">{{link}}</a></h4>
 <pre><code class='lang-auto'>{{content}}</code></pre>
-{{#truncated?}}This paste has been truncated. <a href="{{link}}" target="_blank">show original</a>{{/truncated?}}
+{{#truncated?}}This paste has been truncated. <a href="{{link}}" target="_blank" rel="noopener">show original</a>{{/truncated?}}
diff --git a/templates/pdf.mustache b/templates/pdf.mustache
@@ -1,4 +1,4 @@
-<a href='{{link}}' target="_blank"><span class='pdf-onebox-logo'></span></a>
-<h3><a href='{{link}}' target="_blank">{{title}}</a></h3>
+<a href='{{link}}' target="_blank" rel="noopener"><span class='pdf-onebox-logo'></span></a>
+<h3><a href='{{link}}' target="_blank" rel="noopener">{{title}}</a></h3>
 
 {{#filesize}}<p class='filesize'>{{filesize}}</p>{{/filesize}}
diff --git a/templates/pubmed.mustache b/templates/pubmed.mustache
@@ -1,5 +1,5 @@
 <h4>
-  <a href="{{link}}" target="_blank">{{title}}</a>
+  <a href="{{link}}" target="_blank" rel="noopener">{{title}}</a>
 </h4>
 
 <div class="date">

diff --git a/templates/stackexchange.mustache b/templates/stackexchange.mustache
@@ -1,10 +1,10 @@
 {{#owner.profile_image}}
-  <a href="{{owner.link}}" target="_blank">
+  <a href="{{owner.link}}" target="_blank" rel="noopener">
     <img alt="{{owner.display_name}}" src="{{owner.profile_image}}" class="thumbnail onebox-avatar">
   </a>
 {{/owner.profile_image}}
 <h4>
-  <a href="{{link}}" target="_blank">{{{title}}}</a>
+  <a href="{{link}}" target="_blank" rel="noopener">{{{title}}}</a>
 </h4>
 
 <div class="tags">
@@ -14,8 +14,8 @@
 <div class="date">
   {{#is_question}}asked by{{/is_question}}
   {{#is_answer}}answered by{{/is_answer}}
-  <a href="{{owner.link}}" target="_blank">
+  <a href="{{owner.link}}" target="_blank" rel="noopener">
     {{owner.display_name}}
   </a>
-  on <a href="{{link}}" target="_blank">{{creation_date}}</a>
+  on <a href="{{link}}" target="_blank" rel="noopener">{{creation_date}}</a>
 </div>
diff --git a/templates/twitterstatus.mustache b/templates/twitterstatus.mustache
@@ -1,11 +1,11 @@
 {{#avatar}}<img src="{{avatar}}" class="thumbnail onebox-avatar">{{/avatar}}
 
-<h4><a href='{{link}}' target='_blank'>{{title}}</a></h4>
+<h4><a href='{{link}}' target='_blank' rel='noopener'>{{title}}</a></h4>
 
 <div class="tweet"> {{{tweet}}}{{#quoted_tweet}}<div class="quoted"><a class="quoted-link" href="{{quoted_link}}"><p class="quoted-title">{{quoted_full_name}} <span>@{{quoted_screen_name}}</span></p></a><div>{{quoted_tweet}}</div></div>{{/quoted_tweet}}</div>
 
 <div class='date'>
-  <a href="{{link}}" target="_blank">{{timestamp}}</a>
+  <a href="{{link}}" target="_blank" rel="noopener">{{timestamp}}</a>
   {{#likes}}
     <span class="like">
       <svg viewBox="0 0 512 512" width="14px" height="16px" aria-hidden="true">

diff --git a/templates/wechatmp.mustache b/templates/wechatmp.mustache
@@ -1,4 +1,4 @@
-<h3><a href='{{link}}' target='_blank'>{{title}}</a></h3>
+<h3><a href='{{link}}' target='_blank' rel='noopener'>{{title}}</a></h3>
 {{#by_info}}<b>{{by_info}}</b>{{/by_info}}
 <p>{{description}}</p>
 
diff --git a/templates/whitelistedgeneric.mustache b/templates/whitelistedgeneric.mustache
@@ -1,6 +1,6 @@
 {{#image}}<img src="{{image}}" class="thumbnail"/>{{/image}}
 
-<h3><a href='{{link}}' target="_blank">{{title}}</a></h3>
+<h3><a href='{{link}}' target="_blank" rel="noopener">{{title}}</a></h3>
 
 <p>{{description}}</p>
 

diff --git a/templates/wikimedia.mustache b/templates/wikimedia.mustache
@@ -1,3 +1,3 @@
 {{#image}}<img src="{{image}}" class="thumbnail"/>{{/image}}
 
-<h3><a href='{{link}}' target='_blank'>{{title}}</a></h3>
+<h3><a href='{{link}}' target='_blank' rel='noopener'>{{title}}</a></h3>
diff --git a/templates/wikipedia.mustache b/templates/wikipedia.mustache
@@ -1,5 +1,5 @@
 {{#image}}<img src="{{image}}" class="thumbnail"/>{{/image}}
 
-<h3><a href='{{link}}' target='_blank'>{{title}}</a></h3>
+<h3><a href='{{link}}' target='_blank' rel='noopener'>{{title}}</a></h3>
 
 <p>{{description}}</p>
diff --git a/templates/xkcd.mustache b/templates/xkcd.mustache
@@ -1,4 +1,4 @@
-<h3><a href='{{link}}' target='_blank'>{{title}}</a></h3>
+<h3><a href='{{link}}' target='_blank' rel='noopener'>{{title}}</a></h3>
 
 {{#image}}
   <div class="xkcd-image"><img src="{{image}}"/></div>