Skip to content

Commit

Permalink
Added rel="noopener noreferrer" to all links with target="_blank" cre…
Browse files Browse the repository at this point in the history 
…ated by the app.

This helps minimizing the possibility of the new window manipulating the feedbunch page through the window.opener property. This is specially important with entry links.

For an in-depth discussion about this security problem see:

https://medium.com/@jitbit/target-blank-the-most-underestimated-vulnerability-ever-96e328301f4c#.mez2lo17i
https://news.ycombinator.com/item?id=11631292
  • Loading branch information
@amatriain
amatriain committed Sep 13, 2016
1 parent 2c02ba7 commit 8d71b8e
Show file tree
Hide file tree
Showing 11 changed files with 32 additions and 28 deletions.
6 changes: 3 additions & 3 deletions app/views/errors/404.html.erb
View file
Expand Up @@ -13,11 +13,11 @@
<% end %>

<p class="credit-line">
<%= link_to t('error_pages.error_404.img_credit'), 'http://flickr.com/photos/63930773@N06/7073212719', target: '_blank' %>
<%= link_to t('error_pages.error_404.img_credit'), 'http://flickr.com/photos/63930773@N06/7073212719', target: '_blank', rel: 'noopener noreferrer' %>
&nbsp;&copy;&nbsp;
<%= link_to 'vitalogia', 'http://www.flickr.com/people/63930773@N06', target: '_blank' %>
<%= link_to 'vitalogia', 'http://www.flickr.com/people/63930773@N06', target: '_blank', rel: 'noopener noreferrer' %>
/
<%= link_to 'CC-BY-2.0', 'http://creativecommons.org/licenses/by/2.0/deed.en', target: '_blank' %>
<%= link_to 'CC-BY-2.0', 'http://creativecommons.org/licenses/by/2.0/deed.en', target: '_blank', rel: 'noopener noreferrer' %>
</p>

</div>
Expand Down
6 changes: 3 additions & 3 deletions app/views/errors/422.html.erb
View file
Expand Up @@ -13,11 +13,11 @@
<% end %>

<p class="credit-line">
<%= link_to t('error_pages.error_422.img_credit'), 'http://flickr.com/photos/59594757@N00/7854816722', target: '_blank' %>
<%= link_to t('error_pages.error_422.img_credit'), 'http://flickr.com/photos/59594757@N00/7854816722', target: '_blank', rel: 'noopener noreferrer' %>
&nbsp;&copy;&nbsp;
<%= link_to 'Nisa yeh', 'http://www.flickr.com/people/59594757@N00', target: '_blank' %>
<%= link_to 'Nisa yeh', 'http://www.flickr.com/people/59594757@N00', target: '_blank', rel: 'noopener noreferrer' %>
/
<%= link_to 'CC-BY-SA-2.0', 'http://creativecommons.org/licenses/by-sa/2.0/deed.en', target: '_blank' %>
<%= link_to 'CC-BY-SA-2.0', 'http://creativecommons.org/licenses/by-sa/2.0/deed.en', target: '_blank', rel: 'noopener noreferrer' %>
</p>

</div>
Expand Down
2 changes: 1 addition & 1 deletion app/views/errors/500.html.erb
View file
Expand Up @@ -13,7 +13,7 @@
<% end %>

<p class="credit-line">
<%= link_to t('error_pages.error_500.img_credit'), 'http://www.public-domain-image.com/full-image/miscellaneous-public-domain-images-pictures/fire-flames-pictures/fire-explosions.jpg.html', target: '_blank' %>
<%= link_to t('error_pages.error_500.img_credit'), 'http://www.public-domain-image.com/full-image/miscellaneous-public-domain-images-pictures/fire-flames-pictures/fire-explosions.jpg.html', target: '_blank', rel: 'noopener noreferrer' %>
&nbsp;Jon Sullivan / Public domain
</p>

Expand Down
16 changes: 8 additions & 8 deletions app/views/layouts/_footer.html.erb
View file
Expand Up @@ -11,34 +11,34 @@
</p>

<p>
<%= link_to 'Bootstrap', 'http://getbootstrap.com', target: '_blank' %> &copy; Twitter, Inc / <%= link_to t('layouts.footer.bootstrap_license'), 'https://github.com/twbs/bootstrap/blob/master/LICENSE', target: '_blank' %>
<%= link_to 'Bootstrap', 'http://getbootstrap.com', target: '_blank', rel: 'noopener noreferrer' %> &copy; Twitter, Inc / <%= link_to t('layouts.footer.bootstrap_license'), 'https://github.com/twbs/bootstrap/blob/master/LICENSE', target: '_blank', rel: 'noopener noreferrer' %>
</p>

<p>
<%= link_to 'AngularJS', 'https://angularjs.org/', target: '_blank' %> &copy; Google, Inc / <%= link_to t('layouts.footer.angularjs_license'), 'https://github.com/angular/angular.js/blob/master/LICENSE', target: '_blank' %>
<%= link_to 'AngularJS', 'https://angularjs.org/', target: '_blank', rel: 'noopener noreferrer' %> &copy; Google, Inc / <%= link_to t('layouts.footer.angularjs_license'), 'https://github.com/angular/angular.js/blob/master/LICENSE', target: '_blank', rel: 'noopener noreferrer' %>
</p>

<p>
<%= link_to 'Font Awesome', 'http://fontawesome.io', target: '_blank' %> <%= t 'layouts.footer.by' %> Dave Gandy
<%= link_to 'Font Awesome', 'http://fontawesome.io', target: '_blank', rel: 'noopener noreferrer' %> <%= t 'layouts.footer.by' %> Dave Gandy
</p>

<p>
<%= t 'layouts.footer.img_credit' %> <%= t 'layouts.footer.by' %>
<%= link_to 'Patricia', 'http://www.behance.net/Patridb', target: '_blank' %>
<%= link_to 'Patricia', 'http://www.behance.net/Patridb', target: '_blank', rel: 'noopener noreferrer' %>
<%= t 'layouts.footer.and' %>
<%= link_to 'Alvaro', 'http://alvaro-corcin.com/', target: '_blank' %>
<%= link_to 'Alvaro', 'http://alvaro-corcin.com/', target: '_blank', rel: 'noopener noreferrer' %>
</p>

<p>
<%= link_to t('layouts.footer.bg_image'), 'http://666a658c624a3c03a6b2-25cda059d975d2f318c03e90bcf17c40.r92.cf1.rackcdn.com/unsplash_52b6b4db7397c_1.JPG', target: '_blank' %> <%= t 'layouts.footer.by' %> <%= link_to 'Unsplash', 'http://unsplash.com/', target: '_blank' %> / <%= link_to 'CC0 1.0', 'http://creativecommons.org/publicdomain/zero/1.0/', target: '_blank' %>
<%= link_to t('layouts.footer.bg_image'), 'http://666a658c624a3c03a6b2-25cda059d975d2f318c03e90bcf17c40.r92.cf1.rackcdn.com/unsplash_52b6b4db7397c_1.JPG', target: '_blank', rel: 'noopener noreferrer' %> <%= t 'layouts.footer.by' %> <%= link_to 'Unsplash', 'http://unsplash.com/', target: '_blank', rel: 'noopener noreferrer' %> / <%= link_to 'CC0 1.0', 'http://creativecommons.org/publicdomain/zero/1.0/', target: '_blank', rel: 'noopener noreferrer' %>
</p>

<p>
<%= link_to 'Ruby on Rails', 'http://rubyonrails.org/', target: '_blank' %> <%= t 'layouts.footer.by' %> David Heinemeier Hansson / <%= link_to t('layouts.footer.rails_license'), 'http://www.opensource.org/licenses/mit-license.php', target: '_blank' %>
<%= link_to 'Ruby on Rails', 'http://rubyonrails.org/', target: '_blank', rel: 'noopener noreferrer' %> <%= t 'layouts.footer.by' %> David Heinemeier Hansson / <%= link_to t('layouts.footer.rails_license'), 'http://www.opensource.org/licenses/mit-license.php', target: '_blank', rel: 'noopener noreferrer' %>
</p>

<p>
<%= link_to 'Ruby', 'https://www.ruby-lang.org', target: '_blank' %> &copy; Yukihiro Matsumoto / <%= link_to t('layouts.footer.ruby_license'), 'https://www.ruby-lang.org/en/about/license.txt', target: '_blank' %>
<%= link_to 'Ruby', 'https://www.ruby-lang.org', target: '_blank', rel: 'noopener noreferrer' %> &copy; Yukihiro Matsumoto / <%= link_to t('layouts.footer.ruby_license'), 'https://www.ruby-lang.org/en/about/license.txt', target: '_blank', rel: 'noopener noreferrer' %>
</p>

</div>
Expand Down
2 changes: 2 additions & 0 deletions app/views/layouts/_social_links.html.erb
View file
Expand Up @@ -6,6 +6,7 @@
<a id="twitter-footer-link"
href="https://twitter.com/feedbunch"
target="_blank"
rel="noopener noreferrer"
data-toggle="tooltip"
data-placement="top"
title="<%= t 'layouts.footer.twitter' %>">
Expand All @@ -14,6 +15,7 @@
<a id="github-footer-link"
href="https://github.com/amatriain/feedbunch"
target="_blank"
rel="noopener noreferrer"
data-toggle="tooltip"
data-placement="top"
title="<%= t 'layouts.footer.github' %>">
Expand Down
8 changes: 4 additions & 4 deletions app/views/layouts/navbar/_user_menu.html.erb
View file
Expand Up @@ -20,7 +20,7 @@

<% if can? :manage, ActiveAdmin %>
<li>
<%= link_to '/admin', target: '_blank' do %>
<%= link_to '/admin', target: '_blank', rel: 'noopener noreferrer' do %>
<i class="fa fa-wrench fa-fw"></i>
<%= t 'layouts.navbar.admin' %>
<% end %>
Expand All @@ -29,7 +29,7 @@
<% if can? :manage, PgHero %>
<li>
<%= link_to '/pghero', target: '_blank' do %>
<%= link_to '/pghero', target: '_blank', rel: 'noopener noreferrer' do %>
<i class="fa fa-database fa-fw"></i>
<%= t 'layouts.navbar.db_stats' %>
<% end %>
Expand All @@ -38,7 +38,7 @@
<% if can? :manage, Redmon %>
<li>
<%= link_to '/redmon', target: '_blank' do %>
<%= link_to '/redmon', target: '_blank', rel: 'noopener noreferrer' do %>
<i class="fa fa-area-chart fa-fw"></i>
<%= t 'layouts.navbar.cache_stats' %>
<% end %>
Expand All @@ -47,7 +47,7 @@
<% if can? :manage, Sidekiq %>
<li>
<%= link_to sidekiq_web_path, target: '_blank' do %>
<%= link_to sidekiq_web_path, target: '_blank', rel: 'noopener noreferrer' do %>
<i class="fa fa-code-fork fa-fw"></i>
<%= t 'layouts.navbar.background_jobs' %>
<% end %>
Expand Down
4 changes: 2 additions & 2 deletions app/views/layouts/popups/_help_feedback.html.erb
View file
Expand Up @@ -16,9 +16,9 @@
<div class="col-xs-12 col-sm-10">
<p><%= t 'layouts.popups.help.text_1' %></p>
<ul id="help-contact-list" class="fa fa-ul">
<li><a class="alert-link" href="http://twitter.com/feedbunch" target="_blank"><i class="fa fa-li fa-twitter fa-lg"></i>Twitter (@feedbunch)</a></li>
<li><a class="alert-link" href="http://twitter.com/feedbunch" target="_blank" rel="noopener noreferrer"><i class="fa fa-li fa-twitter fa-lg"></i>Twitter (@feedbunch)</a></li>
<li><a class="alert-link" href="mailto:admin@feedbunch.com"><i class="fa fa-li fa-envelope fa-lg"></i>Email (admin@feedbunch.com)</a></li>
<li><a class="alert-link" href="https://github.com/amatriain/feedbunch" target="_blank"><i class="fa fa-li fa-github fa-lg"></i>Github (amatriain/feedbunch)</a></li>
<li><a class="alert-link" href="https://github.com/amatriain/feedbunch" target="_blank" rel="noopener noreferrer"><i class="fa fa-li fa-github fa-lg"></i>Github (amatriain/feedbunch)</a></li>
</ul>
<p>
<%= t 'layouts.popups.help.text_2' %>
Expand Down
4 changes: 2 additions & 2 deletions app/views/pages/_about.html.erb
View file
Expand Up @@ -91,9 +91,9 @@
<%= t 'pages.about.getting_help.text_1' %>
</p>
<ul id="contact-list" class="fa fa-ul">
<li><i class="fa fa-li fa-twitter"></i><span class="contact"><a href="http://twitter.com/feedbunch" target="_blank">Twitter (@feedbunch)</a></span></li>
<li><i class="fa fa-li fa-twitter"></i><span class="contact"><a href="http://twitter.com/feedbunch" target="_blank" rel="noopener noreferrer">Twitter (@feedbunch)</a></span></li>
<li><i class="fa fa-li fa-envelope"></i><span class="contact"><a href="mailto:admin@feedbunch.com">Email (admin@feedbunch.com)</a></span></li>
<li><i class="fa fa-li fa-github"></i><span class="contact"><a href="https://github.com/amatriain/feedbunch" target="_blank">Github (amatriain/feedbunch)</a></span></li>
<li><i class="fa fa-li fa-github"></i><span class="contact"><a href="https://github.com/amatriain/feedbunch" target="_blank" rel="noopener noreferrer">Github (amatriain/feedbunch)</a></span></li>
</ul>

<p>
Expand Down
1 change: 1 addition & 0 deletions app/views/read/_entries.html.erb
View file
Expand Up @@ -62,6 +62,7 @@
ng-class="{entry_open_lead: is_entry_open(entry)}">
<a href="{{entry.url}}"
target="_blank"
rel="noopener noreferrer"
data-toggle="tooltip" data-placement="top"
title="<%= t 'read.entries.title_tooltip' %>"
ng-bind-html="entry.title">
Expand Down
8 changes: 4 additions & 4 deletions app/views/read/_entries_toolbar.html.erb
View file
Expand Up @@ -37,28 +37,28 @@

<li>
<a href="https://twitter.com/intent/tweet?url={{entry.url}}&via=feedbunch&text={{entry.title}}"
target="_blank">
target="_blank" rel="noopener noreferrer">
<i class="fa fa-fw fa-twitter"></i>&nbsp;<%= t 'read.entries.share_twitter' %>
</a>
</li>

<li>
<a ng-click="share_facebook_entry(entry)"
target="_blank">
target="_blank" rel="noopener noreferrer">
<i class="fa fa-fw fa-facebook"></i>&nbsp;<%= t 'read.entries.share_facebook' %>
</a>
</li>

<li>
<a ng-click="share_gplus_entry(entry)"
target="_blank">
target="_blank" rel="noopener noreferrer">
<i class="fa fa-fw fa-google-plus"></i>&nbsp;<%= t 'read.entries.share_gplus' %>
</a>
</li>

<li>
<a ng-click="share_linkedin_entry(entry)"
target="_blank">
target="_blank" rel="noopener noreferrer">
<i class="fa fa-fw fa-linkedin"></i>&nbsp;<%= t 'read.entries.share_linkedin' %>
</a>
</li>
Expand Down
3 changes: 2 additions & 1 deletion app/views/read/index.html.erb
View file
Expand Up @@ -40,7 +40,8 @@
title="<%= t 'read.index.feed_tooltip' %>"
ng-bind-html="current_feed.title"
href="{{current_feed.url}}"
target="_blank">
target="_blank"
rel="noopener noreferrer">
</a>
</div>

Expand Down

0 comments on commit 8d71b8e

Please sign in to comment.