Fix: fix reverse tabnabbing in most cases, add rel=noopener to most links to untrusted content

2023-09-02 00:55:07 +02:00 · 2023-09-02 00:55:07 +02:00 · d9b8257e47
commit d9b8257e47
parent fd39f66e2e
25 changed files with 462 additions and 77 deletions
--- a/src/UI/BigComponents/ContactLink.svelte
+++ b/src/UI/BigComponents/ContactLink.svelte
@ -35,7 +35,7 @@
        src={`https://raw.githubusercontent.com/pietervdvn/MapComplete-data/main/community_index/${resource.type}.svg`}
      />
      <div class="flex flex-col">
-        <a href={resource.resolved.url} target="_blank" rel="noreferrer nofollow" class="font-bold">
+        <a href={resource.resolved.url} target="_blank" rel="noreferrer nofollow noopener" class="font-bold">
          {resource.resolved.name ?? resource.resolved.url}
        </a>
        {resource.resolved?.description}
--- a/src/UI/BigComponents/CopyrightPanel.ts
+++ b/src/UI/BigComponents/CopyrightPanel.ts
@ -102,7 +102,7 @@ export default class CopyrightPanel extends Combine {
                        let bgAttr: BaseUIElement | string = undefined
                        if (attrText && attrUrl) {
                            bgAttr =
-                                "<a href='" + attrUrl + "' target='_blank'>" + attrText + "</a>"
+                                "<a href='" + attrUrl + "' target='_blank' rel='noopener'>" + attrText + "</a>"
                        } else if (attrUrl) {
                            bgAttr = attrUrl
                        } else {
--- a/src/UI/BigComponents/UserProfile.svelte
+++ b/src/UI/BigComponents/UserProfile.svelte
@ -37,6 +37,7 @@
      <a
        href={osmConnection.Backend() + "/profile/edit"}
        target="_blank"
+        rel="noopener"
        class="link-no-underline flex items-center self-end"
      >
        <PencilAltIcon slot="image" class="h-8 w-8 p-2" />