From 3f8804f54f8426961a31287fb8e9a3d8f8f84b4d Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Wed, 21 Aug 2019 21:14:22 +0200
Subject: Prevent window opener vulnerability with space shortcut (#2506)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Prevent window opener vulnerability with space shortcut

This change fixes a vulnerability introduced by `window.open()` on untrusted sources. It reproduces the effect of `rel="noreferrer"` with JS.

Cross browser solution from: https://stackoverflow.com/a/40593743

## Reproduction

> tested with Firefox 68

  1. Add this RSS feed
  2. Open the 2nd link "À propos de la faille de sécurité liée à target="_blank" **using the space key shortcut**.
  3. Click on the first of three links "http://bookmarks.ecyseo.net"

Current behaviour: the FreshRSS tab changes.
Expected behaviour: no effect on FreshRSS

* Test for popup blockers
---
 p/scripts/main.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'p')

diff --git a/p/scripts/main.js b/p/scripts/main.js
index 4fd91235e..3f964e70e 100644
--- a/p/scripts/main.js
+++ b/p/scripts/main.js
@@ -803,7 +803,11 @@ function init_shortcuts() {
 				if (context.auto_mark_site) {
 					mark_read(document.querySelector('.flux.current'), true, false);
 				}
-				window.open(document.querySelector('.flux.current a.go_website').href);
+				const newWindow = window.open();
+				if (newWindow) {
+					newWindow.opener = null;
+					newWindow.location = document.querySelector('.flux.current a.go_website').href;
+				}
 				return false;
 			}
 			if (k === s.skip_next_entry) { next_entry(true); return false; }
-- 
cgit v1.2.3