Fix: fix reverse tabnabbing in most cases, add rel=noopener to most links to untrusted content

2023-09-02 00:55:07 +02:00 · 2023-09-02 00:55:07 +02:00 · d9b8257e47
commit d9b8257e47
parent fd39f66e2e
25 changed files with 462 additions and 77 deletions
--- a/src/Models/Constants.ts
+++ b/src/Models/Constants.ts
@ -1,13 +1,16 @@
-import { Utils } from "../Utils"
 import * as meta from "../../package.json"
+import { Utils } from "../Utils"

 export type PriviligedLayerType = (typeof Constants.priviliged_layers)[number]

 export default class Constants {
+    static {
+        console.log("Meta (package:json)", meta)
+    }
    public static vNumber = meta.version

    public static ImgurApiKey = meta.config.api_keys.imgur
-    public static readonly mapillary_client_token_v4 =meta.config.api_keys.mapillary_v4
+    public static readonly mapillary_client_token_v4 = meta.config.api_keys.mapillary_v4

    /**
     * API key for Maproulette
--- a/src/Models/ThemeConfig/TagRenderingConfig.ts
+++ b/src/Models/ThemeConfig/TagRenderingConfig.ts
@ -242,7 +242,7 @@ export default class TagRenderingConfig {
                if (txt === "") {
                    throw context + " Rendering for language " + ln + " is empty"
                }
-                if (txt.indexOf("{" + this.freeform.key + "}") >= 0) {
+                if (txt.indexOf("{" + this.freeform.key + "}") >= 0 || txt.indexOf("&LBRACE" + this.freeform.key + "&RBRACE") ) {
                    continue
                }
                if (txt.indexOf("{" + this.freeform.key + ":") >= 0) {
--- a/src/UI/Base/SubtleLink.svelte
+++ b/src/UI/Base/SubtleLink.svelte
@ -34,6 +34,7 @@
  class={twMerge(options.extraClasses, "button text-ellipsis")}
  {href}
  target={newTab ? "_blank" : undefined}
+  rel={newTab ? "noopener" : undefined}
 >
  <slot name="image">
    {#if imageUrl !== undefined}
--- a/src/UI/BigComponents/ContactLink.svelte
+++ b/src/UI/BigComponents/ContactLink.svelte
@ -35,7 +35,7 @@
        src={`https://raw.githubusercontent.com/pietervdvn/MapComplete-data/main/community_index/${resource.type}.svg`}
      />
      <div class="flex flex-col">
-        <a href={resource.resolved.url} target="_blank" rel="noreferrer nofollow" class="font-bold">
+        <a href={resource.resolved.url} target="_blank" rel="noreferrer nofollow noopener" class="font-bold">
          {resource.resolved.name ?? resource.resolved.url}
        </a>
        {resource.resolved?.description}
--- a/src/UI/BigComponents/CopyrightPanel.ts
+++ b/src/UI/BigComponents/CopyrightPanel.ts
@ -102,7 +102,7 @@ export default class CopyrightPanel extends Combine {
                        let bgAttr: BaseUIElement | string = undefined
                        if (attrText && attrUrl) {
                            bgAttr =
-                                "<a href='" + attrUrl + "' target='_blank'>" + attrText + "</a>"
+                                "<a href='" + attrUrl + "' target='_blank' rel='noopener'>" + attrText + "</a>"
                        } else if (attrUrl) {
                            bgAttr = attrUrl
                        } else {
--- a/src/UI/BigComponents/UserProfile.svelte
+++ b/src/UI/BigComponents/UserProfile.svelte
@ -37,6 +37,7 @@
      <a
        href={osmConnection.Backend() + "/profile/edit"}
        target="_blank"
+        rel="noopener"
        class="link-no-underline flex items-center self-end"
      >
        <PencilAltIcon slot="image" class="h-8 w-8 p-2" />
--- a/src/UI/SpecialVisualizations.ts
+++ b/src/UI/SpecialVisualizations.ts
@ -1250,7 +1250,7 @@ export default class SpecialVisualizations {
            },
            {
                funcName: "link",
-                docs: "Construct a link. By using the 'special' visualisation notation, translation should be easier",
+                docs: "Construct a link. By using the 'special' visualisation notation, translations should be easier",
                args: [
                    {
                        name: "text",