Merge branch 'release/10.2' into dev

frontend/src/app/components/modals/modal-wrapper/dynamic-content.modal.ts

@@ -36,6 +36,11 @@ import {I18nService} from "core-app/modules/common/i18n/i18n.service";
   templateUrl: './dynamic-content.modal.html'
 })
 export class DynamicContentModal extends OpModalComponent implements OnInit, OnDestroy {
+  // override superclass
+  // Allowing outside clicks to close the modal leads to the user involuntarily closing
+  // the modal when removing error messages or clicking on labels e.g. in the registration modal.
+  public closeOnOutsideClick:boolean = false;
+
   constructor(readonly elementRef:ElementRef,
               @Inject(OpModalLocalsToken) public locals:OpModalLocalsMap,
               readonly cdRef:ChangeDetectorRef,

lib/open_project/text_formatting/filters/autolink_filter.rb

@@ -51,7 +51,7 @@ def call
       def default_autolink_options
         {
           enabled: true,
-          classes: 'rinku-autolink',
+          classes: 'rinku-autolink'
         }
       end
     end

lib/open_project/text_formatting/filters/macro_filter.rb

@@ -72,7 +72,6 @@ def macro_error_placeholder(macro_class, message)
                                                   data: { macro_name: macro_class.identifier }
       end
 
-
       def macro_placeholder(macro_class)
         ApplicationController.helpers.content_tag :macro,
                                                   I18n.t('macros.placeholder', macro_name: macro_class.identifier),

lib/open_project/text_formatting/filters/relative_link_filter.rb

@@ -31,7 +31,6 @@
 module OpenProject::TextFormatting
   module Filters
     class RelativeLinkFilter < HTML::Pipeline::Filter
-
       def call
         # We only care for absolute rendering
         unless context[:only_path] == false

lib/open_project/text_formatting/filters/sanitization_filter.rb

@@ -35,7 +35,17 @@ def context
         super.merge(whitelist: WHITELIST.merge(
           elements: WHITELIST[:elements] + ['macro'],
           # Whitelist class and data-* attributes on all macros
-          attributes: WHITELIST[:attributes].merge('macro' => ['class', :data])
+          attributes: WHITELIST[:attributes].merge('macro' => ['class', :data]),
+          transformers: WHITELIST[:transformers] + [
+            # Add rel attribute to prevent tabnabbing
+            lambda { |env|
+              name = env[:node_name]
+              node = env[:node]
+              if name == 'a'
+                node['rel'] = 'noopener noreferrer'
+              end
+            }
+          ]
         ))
       end
     end

lib/open_project/text_formatting/helpers/link_rewriter.rb

@@ -30,7 +30,6 @@
 
 module OpenProject::TextFormatting
   module Helpers
-
     ##
     # Rewrite relative URLs to their absolute paths
     # when only_path is false.

spec/lib/open_project/text_formatting/markdown/markdown_formatting_spec.rb

@@ -50,12 +50,19 @@
     )
   end
 
-  it 'should escaping' do
+  it 'escapes script tags' do
     assert_html_output(
       'this is a <script>' => 'this is a &lt;script&gt;'
     )
   end
 
+  it 'limits `a` tags and hardens them against tabnabbing' do
+    assert_html_output(
+      'this is a <a style="display:none;" href="http://malicious">' =>
+        'this is a <a href="http://malicious" rel="noopener noreferrer">'
+    )
+  end
+
   it 'should use of backslashes followed by numbers in headers' do
     html = <<-HTML.strip_heredoc
       <h1 id="20090209">
@@ -128,7 +135,7 @@
           assert_html_output(
             {
               'Link to [relative path](/foo/bar)' =>
-                %(Link to <a href="/foo/bar">relative path</a>),
+                %(Link to <a href="/foo/bar" rel="noopener noreferrer">relative path</a>),
               'An inline image ![](/attachments/123/foobar.png)' =>
                 %(An inline image <img src="/attachments/123/foobar.png" alt="" />)
             },
@@ -152,7 +159,7 @@
           assert_html_output(
             {
               'Link to [relative path](/foo/bar)' =>
-                %(Link to <a href="http://openproject.org/foo/bar">relative path</a>),
+                %(Link to <a href="http://openproject.org/foo/bar" rel="noopener noreferrer">relative path</a>),
               'An inline image ![](/attachments/123/foobar.png)' =>
                 %(An inline image <img src="http://openproject.org/attachments/123/foobar.png" alt="" />)
             },

spec/models/queries/work_packages/manual_sorting_spec.rb

@@ -32,8 +32,16 @@
   shared_let(:user) { FactoryBot.create :admin }
   shared_let(:project) { FactoryBot.create :project }
   shared_let(:query) { FactoryBot.create :query, user: user, project: project }
-  shared_let(:wp_1) { FactoryBot.create :work_package, project: project }
-  shared_let(:wp_2) { FactoryBot.create :work_package, project: project }
+  shared_let(:wp_1) do
+    User.execute_as user do
+      FactoryBot.create :work_package, project: project
+    end
+  end
+  shared_let(:wp_2) do
+    User.execute_as user do
+      FactoryBot.create :work_package, project: project
+    end
+  end
 
   before do
     login_as user

spec/requests/api/v3/render_resource_spec.rb

@@ -70,7 +70,7 @@
             it_behaves_like 'valid response' do
               let(:text) do
                 '<p>Hello World! This <em>is</em> markdown with a ' +
-                  '<a href="http://community.openproject.org">link</a> ' +
+                  '<a href="http://community.openproject.org" rel="noopener noreferrer">link</a> ' +
                   'and ümläutß.</p>'
               end
             end