fix(core/presentation): Make all DOMPurify'd links open in a new wind…

…ow (#7511)
spinnaker · Oct 11, 2019 · aef69cf · aef69cf
1 parent b382a22
commit aef69cf
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 12 deletions.
diff --git a/app/scripts/modules/core/src/presentation/domPurifyOpenLinksInNewWindow.ts b/app/scripts/modules/core/src/presentation/domPurifyOpenLinksInNewWindow.ts
@@ -0,0 +1,19 @@
+import * as DOMPurify from 'dompurify';
+
+export function domPurifyOpenLinksInNewWindow() {
+  // Add a hook to make all DOMPurify'd links open a new window
+  // See: https://github.com/cure53/DOMPurify/tree/master/demos#hook-to-open-all-links-in-a-new-window-link
+  DOMPurify.addHook('afterSanitizeAttributes', function(node: any) {
+    // set all elements owning target to target=_blank
+    if ('target' in node) {
+      node.setAttribute('target', '_blank');
+      // prevent https://www.owasp.org/index.php/Reverse_Tabnabbing
+      node.setAttribute('rel', 'noopener noreferrer');
+    }
+    // set non-HTML/MathML links to xlink:show=new
+    if (!node.hasAttribute('target') && (node.hasAttribute('xlink:href') || node.hasAttribute('href'))) {
+      node.setAttribute('xlink:show', 'new');
+    }
+    return node;
+  });
+}
diff --git a/app/scripts/modules/core/src/presentation/presentation.module.js b/app/scripts/modules/core/src/presentation/presentation.module.js
@@ -8,21 +8,24 @@ import { PAGE_NAVIGATOR_COMPONENT } from './navigation/pageNavigator.component';
 import { PAGE_SECTION_COMPONENT } from './navigation/pageSection.component';
 import { REPLACE_FILTER } from './replace.filter';
 import { ROBOT_TO_HUMAN_FILTER } from './robotToHumanFilter/robotToHuman.filter';
+import { domPurifyOpenLinksInNewWindow } from './domPurifyOpenLinksInNewWindow';
 
 import './flex-layout.less';
 import './details.less';
 import './main.less';
 import './navPopover.less';
 
-module.exports = angular.module('spinnaker.core.presentation', [
-  ANY_FIELD_FILTER,
-  AUTO_SCROLL_DIRECTIVE,
-  PAGE_NAVIGATOR_COMPONENT,
-  PAGE_SECTION_COMPONENT,
-  require('./collapsibleSection/collapsibleSection.directive').name,
-  require('./isVisible/isVisible.directive').name,
-  ROBOT_TO_HUMAN_FILTER,
-  require('./sortToggle/sorttoggle.directive').name,
-  require('./percent.filter').name,
-  REPLACE_FILTER,
-]);
+module.exports = angular
+  .module('spinnaker.core.presentation', [
+    ANY_FIELD_FILTER,
+    AUTO_SCROLL_DIRECTIVE,
+    PAGE_NAVIGATOR_COMPONENT,
+    PAGE_SECTION_COMPONENT,
+    require('./collapsibleSection/collapsibleSection.directive').name,
+    require('./isVisible/isVisible.directive').name,
+    ROBOT_TO_HUMAN_FILTER,
+    require('./sortToggle/sorttoggle.directive').name,
+    require('./percent.filter').name,
+    REPLACE_FILTER,
+  ])
+  .run(domPurifyOpenLinksInNewWindow);