colin
/
bookstack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #2768 from CorruptComputer/RSPEC-5148-Fixes 

[sec] Fixes a few minor vulnerabilies when using target="_blank" on links (RSPEC-5148)
This commit is contained in:
Dan Brown 2021-05-24 22:11:49 +01:00 committed by GitHub
parent df0e03cd07 7a6f21648a
commit 5c8c85a0ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
resources/views/api-docs/index.blade.php
View File

@ -190,7 +190,7 @@
<h5 id="{{ $endpoint['name'] }}" class="text-mono mb-m">
<span class="api-method" data-method="{{ $endpoint['method'] }}">{{ $endpoint['method'] }}</span>
@if($endpoint['controller_method_kebab'] === 'list')
<a style="color: inherit;" target="_blank" href="{{ url($endpoint['uri']) }}">{{ url($endpoint['uri']) }}</a>
<a style="color: inherit;" target="_blank" rel="noopener" href="{{ url($endpoint['uri']) }}">{{ url($endpoint['uri']) }}</a>
@else
{{ url($endpoint['uri']) }}
@endif

2
resources/views/attachments/manager-list.blade.php
View File

@ -7,7 +7,7 @@
class="card drag-card">
<div class="handle">@icon('grip')</div>
<div class="py-s">
<a href="{{ $attachment->getUrl() }}" target="_blank">{{ $attachment->name }}</a>
<a href="{{ $attachment->getUrl() }}" target="_blank" rel="noopener">{{ $attachment->name }}</a>
</div>
<div class="flex-fill justify-flex-end">
<button component="event-emit-select"

2
resources/views/common/footer.blade.php
View File

@ -1,7 +1,7 @@
@if(count(setting('app-footer-links', [])) > 0)
<footer>
@foreach(setting('app-footer-links', []) as $link)
<a href="{{ $link['url'] }}" target="_blank">{{ strpos($link['label'], 'trans::') === 0 ? trans(str_replace('trans::', '', $link['label'])) : $link['label'] }}</a>
<a href="{{ $link['url'] }}" target="_blank" rel="noopener">{{ strpos($link['label'], 'trans::') === 0 ? trans(str_replace('trans::', '', $link['label'])) : $link['label'] }}</a>
@endforeach
</footer>
@endif

3
resources/views/components/image-manager-form.blade.php
View File

@ -7,7 +7,7 @@
option:ajax-form:url="{{ url('images/' . $image->id) }}">
<div class="image-manager-viewer">
<a href="{{ $image->url }}" target="_blank" class="block">
<a href="{{ $image->url }}" target="_blank" rel="noopener" class="block">
<img src="{{ $image->thumbs['display'] }}"
alt="{{ $image->name }}"
class="anim fadeIn"
@ -40,6 +40,7 @@
<li>
<a href="{{ $page->url }}"
target="_blank"
rel="noopener"
class="text-neg">{{ $page->name }}</a>
</li>
@endforeach

2
resources/views/components/page-picker.blade.php
View File

@ -3,7 +3,7 @@
<div page-picker>
<div class="input-base">
<span @if($value) style="display: none" @endif page-picker-default class="text-muted italic">{{ $placeholder }}</span>
<a @if(!$value) style="display: none" @endif href="{{ url('/link/' . $value) }}" target="_blank" class="text-page" page-picker-display>#{{$value}}, {{$value ? \BookStack\Entities\Models\Page::find($value)->name : '' }}</a>
<a @if(!$value) style="display: none" @endif href="{{ url('/link/' . $value) }}" target="_blank" rel="noopener" class="text-page" page-picker-display>#{{$value}}, {{$value ? \BookStack\Entities\Models\Page::find($value)->name : '' }}</a>
</div>
<br>
<input type="hidden" value="{{$value}}" name="{{$name}}" id="{{$name}}">

6
resources/views/pages/revisions.blade.php
View File

@ -41,14 +41,14 @@
<td><small>{{ $revision->created_at->formatLocalized('%e %B %Y %H:%M:%S') }} <br> ({{ $revision->created_at->diffForHumans() }})</small></td>
<td>{{ $revision->summary }}</td>
<td class="actions">
<a href="{{ $revision->getUrl('changes') }}" target="_blank">{{ trans('entities.pages_revisions_changes') }}</a>
<a href="{{ $revision->getUrl('changes') }}" target="_blank" rel="noopener">{{ trans('entities.pages_revisions_changes') }}</a>
<span class="text-muted">&nbsp;|&nbsp;</span>
@if ($index === 0)
<a target="_blank" href="{{ $page->getUrl() }}"><i>{{ trans('entities.pages_revisions_current') }}</i></a>
<a target="_blank" rel="noopener" href="{{ $page->getUrl() }}"><i>{{ trans('entities.pages_revisions_current') }}</i></a>
@else
<a href="{{ $revision->getUrl() }}" target="_blank">{{ trans('entities.pages_revisions_preview') }}</a>
<a href="{{ $revision->getUrl() }}" target="_blank" rel="noopener">{{ trans('entities.pages_revisions_preview') }}</a>
<span class="text-muted">&nbsp;|&nbsp;</span>
<div component="dropdown" class="dropdown-container">
<a refs="dropdown@toggle" href="#" aria-haspopup="true" aria-expanded="false">{{ trans('entities.pages_revisions_restore') }}</a>

6
resources/views/partials/entity-export-menu.blade.php
View File

@ -5,8 +5,8 @@
<span>{{ trans('entities.export') }}</span>
</div>
<ul refs="dropdown@menu" class="wide dropdown-menu" role="menu">
<li><a href="{{ $entity->getUrl('/export/html') }}" target="_blank">{{ trans('entities.export_html') }} <span class="text-muted float right">.html</span></a></li>
<li><a href="{{ $entity->getUrl('/export/pdf') }}" target="_blank">{{ trans('entities.export_pdf') }} <span class="text-muted float right">.pdf</span></a></li>
<li><a href="{{ $entity->getUrl('/export/plaintext') }}" target="_blank">{{ trans('entities.export_text') }} <span class="text-muted float right">.txt</span></a></li>
<li><a href="{{ $entity->getUrl('/export/html') }}" target="_blank" rel="noopener">{{ trans('entities.export_html') }} <span class="text-muted float right">.html</span></a></li>
<li><a href="{{ $entity->getUrl('/export/pdf') }}" target="_blank" rel="noopener">{{ trans('entities.export_pdf') }} <span class="text-muted float right">.pdf</span></a></li>
<li><a href="{{ $entity->getUrl('/export/plaintext') }}" target="_blank" rel="noopener">{{ trans('entities.export_text') }} <span class="text-muted float right">.txt</span></a></li>
</ul>
</div>