diff options
| author |  Alexandre Alapetite <alexandre.alapetite@alexandra.dk>
| 2016-09-07 14:35:51 +0200 |
|---|---|---|
| committer | Alexandre Alapetite <alexandre.alapetite@alexandra.dk>
| 2016-09-07 14:35:51 +0200 |
| commit | 8a776f146182bc6870702cfeb87041e3af66b24b (patch) | |
| tree | 5ababee81679d46f7f72d65920170e719fea12d1 /app/layout | |
| parent | 03211453704e90c85d5da3a9ef0553e49886de59 (diff) | |
Prevent a target _blank attacks with window.opener
https://mathiasbynens.github.io/rel-noopener/
noopener is implied by noreferrer
https://html.spec.whatwg.org/multipage/semantics.html#link-type-noreferrer
The API for window.open() does not seem stable yet
https://bugzilla.mozilla.org/show_bug.cgi?id=1267339
Diffstat (limited to 'app/layout')
| -rw-r--r-- | app/layout/aside_feed.phtml | 2 | ||||
| -rw-r--r-- | app/layout/aside_subscription.phtml | 2 | ||||
| -rw-r--r-- | app/layout/nav_menu.phtml | 2 |
3 files changed, 3 insertions, 3 deletions
diff --git a/app/layout/aside_feed.phtml b/app/layout/aside_feed.phtml index e8fdbf842..94c281b7f 100644 --- a/app/layout/aside_feed.phtml +++ b/app/layout/aside_feed.phtml @@ -79,7 +79,7 @@ <?php if (FreshRSS_Auth::hasAccess()) { ?> <li class="item"><a href="<?php echo _url('stats', 'repartition', 'id', '------'); ?>"><?php echo _t('index.menu.stats'); ?></a></li> <?php } ?> - <li class="item"><a target="_blank" href="http://example.net/"><?php echo _t('gen.action.see_website'); ?></a></li> + <li class="item"><a target="_blank" rel="noreferrer" href="http://example.net/"><?php echo _t('gen.action.see_website'); ?></a></li> <?php if (FreshRSS_Auth::hasAccess()) { ?> <li class="separator"></li> <li class="item"><a href="<?php echo _url('subscription', 'index', 'id', '------'); ?>"><?php echo _t('gen.action.manage'); ?></a></li> diff --git a/app/layout/aside_subscription.phtml b/app/layout/aside_subscription.phtml index fa10d63e8..e14afe2a7 100644 --- a/app/layout/aside_subscription.phtml +++ b/app/layout/aside_subscription.phtml @@ -10,7 +10,7 @@ </li> <li class="item"> - <a class="bookmarkClick" href="javascript:(function(){var%20url%20=%20location.href;window.open('<?php echo Minz_Url::display(array('c' => 'feed', 'a' => 'add'), 'html', true); ?>&url_rss='+encodeURIComponent(url), '_blank');})();"> + <a class="bookmarkClick" href="javascript:(function(){var%20url%20=%20location.href;var%20otherWindow=window.open('about:blank','_blank');otherWindow.opener=null;otherWindow.location='<?php echo Minz_Url::display(array('c' => 'feed', 'a' => 'add'), 'html', true); ?>&url_rss='+encodeURIComponent(url);})();"> <?php echo _t('sub.menu.bookmark'); ?> </a> </li> diff --git a/app/layout/nav_menu.phtml b/app/layout/nav_menu.phtml index 23255f04f..d77c1abf9 100644 --- a/app/layout/nav_menu.phtml +++ b/app/layout/nav_menu.phtml @@ -152,7 +152,7 @@ $url_output['params']['token'] = FreshRSS_Context::$user_conf->token; } ?> - <a class="view_rss btn" target="_blank" title="<?php echo _t('index.menu.rss_view'); ?>" href="<?php echo Minz_Url::display($url_output); ?>"> + <a class="view_rss btn" target="_blank" rel="noreferrer" title="<?php echo _t('index.menu.rss_view'); ?>" href="<?php echo Minz_Url::display($url_output); ?>"> <?php echo _i('rss'); ?> </a> </div> |