Skip to content

JS: change the precision of the js/unsafe-external-link query to low #16002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 22, 2024
Merged

JS: change the precision of the js/unsafe-external-link query to low #16002

merged 2 commits into from
Mar 22, 2024

Conversation

erik-krogh
Copy link
Contributor

Fixes #15995

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 21, 2024
edited
Loading

QHelp previews:

javascript/ql/src/DOM/TargetBlank.qhelp

Potentially unsafe external link

HTML links that open in a new tab or window allow the target page to access the DOM of the origin page using window.opener unless link type noopener or noreferrer is specified. This is a potential security risk.

Note that only older browsers, where target="_blank" does not imply rel="noopener", are affected by this vulnerability. Modern browsers implicitly add rel="noopener" to target="_blank" links. Refer to the browser compatibility section on the anchor element for details on which browsers implicitly add rel="noopener" to target="_blank" links.

Recommendation

Specify the link type by adding an attribute rel="noopener noreferrer".

Example

In the following example, a JSX element is created that corresponds to an HTML link opening the URL http://example.com in a new tab. Since it does not specify a link type, that page will be able to access the DOM of the origin page.

var link = <a href="http://example.com" target="_blank">Example</a>;

To fix this vulnerability, add a rel attribute:

var link = <a href="http://example.com" target="_blank" rel="noopener noreferrer">Example</a>;

References

@erik-krogh erik-krogh marked this pull request as ready for review March 21, 2024 10:15
@erik-krogh erik-krogh requested a review from a team as a code owner March 21, 2024 10:15
asgerf
asgerf reviewed Mar 21, 2024
View reviewed changes
@erik-krogh @asgerf
improve the change-note
7d96818 
Co-authored-by: Asger F <asgerf@github.com>
@erik-krogh erik-krogh added the ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. label Mar 22, 2024
subatoi
subatoi approved these changes Mar 22, 2024
View reviewed changes
Copy link
Contributor

@subatoi subatoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks!

javascript/ql/src/DOM/TargetBlank.qhelp
Note that only older browsers, where <code>target="_blank"</code> does not imply <code>rel="noopener"</code>,
are affected by this vulnerability. Modern browsers implicitly add <code>rel="noopener"</code> to
<code>target="_blank"</code> links.
Refer to the <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#browser_compatibility">browser compatibility section
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: is it worth specifying that this hyperlink is going to the MDN docs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm. I don't think that's needed here. But thanks.

@erik-krogh erik-krogh merged commit 45ce988 into github:main Mar 22, 2024
@erik-krogh erik-krogh mentioned this pull request Mar 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asgerf asgerf asgerf left review comments

@subatoi subatoi subatoi approved these changes

Assignees
No one assigned
Labels
documentation JS ready-for-doc-review This PR requires and is ready for review from the GitHub docs team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Disable js/unsafe-external-link by default
3 participants
@erik-krogh @asgerf @subatoi