Page MenuHomePhabricator

Reference popups add _blank target without rel=noopener
Closed, ResolvedPublic

Description

I haven't actually tested this, so forgive me if I misunderstand the code.

It looks like in src/ui/renderer.js line 252:

$el.find( '.mwe-popups-extract a[href]' ).each( ( i, a ) => {
        a.target = '_blank';
} );

Looks like all the links are getting target _blank, and these links are user controlled, but there is no nopener set. This could be useful to certain types of phising attacks. Its not a super critical thing, but please set rel=noopener for links that get target=_blank. (e.g. https://mathiasbynens.github.io/rel-noopener/ )

Event Timeline

thiemowmde triaged this task as Low priority.
thiemowmde moved this task from Backlog to Doing on the Reference Previews board.

Probably having no access to security tickets ;-)

Oh. I suggest to lift the limitation from this and the other ticket T214754, as both are not exploitable on any production server.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".

That was quick!

Thanks for addressing this so quickly.