Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix tabnabbing vulnerability in Snow theme #2439

Merged
merged 2 commits into from Dec 28, 2018

Conversation

Projects
None yet
2 participants
@jonathanlloyd
Copy link
Contributor

commented Dec 21, 2018

Fixes #2438

The link has the target attribute set to _blank but has no rel property. This means that documents containing untrusted links make the page they are embedded in susceptible to tabnabbing https://www.owasp.org/index.php/Reverse_Tabnabbing.
This PR sets the rel property to noopener (also norefferer and nofollow)

@@ -70,7 +70,7 @@ class SnowTooltip extends BaseTooltip {
}
}
SnowTooltip.TEMPLATE = [
'<a class="ql-preview" target="_blank" href="about:blank"></a>',
'<a class="ql-preview" rel="noopener noreferrer nofollow" target="_blank" href="about:blank"></a>',

This comment has been minimized.

Copy link
@jhchen

jhchen Dec 26, 2018

Member

nofollow does not seem relevant to tabnabbing?

This comment has been minimized.

Copy link
@jonathanlloyd

jonathanlloyd Dec 28, 2018

Author Contributor

Fair, noopener is sufficient to mitigate tabnabbing. I've left in noreferrer for privacy reasons but can remove that too if you think it's too much.

This comment has been minimized.

Copy link
@jhchen

jhchen Dec 28, 2018

Member

That's fine these two are what React's linter suggests as well

@jonathanlloyd jonathanlloyd force-pushed the pusher:fix-snow-tabnabbing-vuln branch from 0340cbb to 99a85c1 Dec 28, 2018

@jhchen jhchen merged commit aceaf9f into quilljs:develop Dec 28, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@jhchen

This comment has been minimized.

Copy link
Member

commented Dec 28, 2018

Thanks for the PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.