Fix: fix reverse tabnabbing in most cases, add rel=noopener to most links to untrusted content

2023-09-02 00:55:07 +02:00 · 2023-09-02 00:55:07 +02:00 · d9b8257e47
commit d9b8257e47
parent fd39f66e2e
25 changed files with 462 additions and 77 deletions
--- a/src/UI/Base/SubtleLink.svelte
+++ b/src/UI/Base/SubtleLink.svelte
@ -34,6 +34,7 @@
  class={twMerge(options.extraClasses, "button text-ellipsis")}
  {href}
  target={newTab ? "_blank" : undefined}
+  rel={newTab ? "noopener" : undefined}
 >
  <slot name="image">
    {#if imageUrl !== undefined}
--- a/src/UI/BigComponents/ContactLink.svelte
+++ b/src/UI/BigComponents/ContactLink.svelte
@ -35,7 +35,7 @@
        src={`https://raw.githubusercontent.com/pietervdvn/MapComplete-data/main/community_index/${resource.type}.svg`}
      />
      <div class="flex flex-col">
-        <a href={resource.resolved.url} target="_blank" rel="noreferrer nofollow" class="font-bold">
+        <a href={resource.resolved.url} target="_blank" rel="noreferrer nofollow noopener" class="font-bold">
          {resource.resolved.name ?? resource.resolved.url}
        </a>
        {resource.resolved?.description}
--- a/src/UI/BigComponents/CopyrightPanel.ts
+++ b/src/UI/BigComponents/CopyrightPanel.ts
@ -102,7 +102,7 @@ export default class CopyrightPanel extends Combine {
                        let bgAttr: BaseUIElement | string = undefined
                        if (attrText && attrUrl) {
                            bgAttr =
-                                "<a href='" + attrUrl + "' target='_blank'>" + attrText + "</a>"
+                                "<a href='" + attrUrl + "' target='_blank' rel='noopener'>" + attrText + "</a>"
                        } else if (attrUrl) {
                            bgAttr = attrUrl
                        } else {
--- a/src/UI/BigComponents/UserProfile.svelte
+++ b/src/UI/BigComponents/UserProfile.svelte
@ -37,6 +37,7 @@
      <a
        href={osmConnection.Backend() + "/profile/edit"}
        target="_blank"
+        rel="noopener"
        class="link-no-underline flex items-center self-end"
      >
        <PencilAltIcon slot="image" class="h-8 w-8 p-2" />
--- a/src/UI/SpecialVisualizations.ts
+++ b/src/UI/SpecialVisualizations.ts
@ -1250,7 +1250,7 @@ export default class SpecialVisualizations {
            },
            {
                funcName: "link",
-                docs: "Construct a link. By using the 'special' visualisation notation, translation should be easier",
+                docs: "Construct a link. By using the 'special' visualisation notation, translations should be easier",
                args: [
                    {
                        name: "text",