Mercurial > p > roundup > code
comparison roundup/cgi/templating.py @ 5684:97e2125e064c
When we generate links from URL's in messages, we add rel="nofollow"
to combat link spam. This change turns that into rel="nofollow
noopener". This prevents the page at the end of the link from having
access to the roundup window that displays the link.
Details on the issue are are at:
https://mathiasbynens.github.io/rel-noopener/
search web for noopener vulnerability. This problem usually requires a
target="_blank" to really exploit it and we don't provide that. But
adding noopener is extra protection.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 30 Mar 2019 21:15:33 -0400 |
| parents | fea11d05110e |
| children | 1a835db41674 |
comparison
equal
deleted
inserted
replaced
| 5683:7483838ff74d | 5684:97e2125e064c |
|---|---|
| 955 date_s = str(evt_date.local(timezone)).replace("."," ") | 955 date_s = str(evt_date.local(timezone)).replace("."," ") |
| 956 arg_s = '' | 956 arg_s = '' |
| 957 if action in ['link', 'unlink'] and type(args) == type(()): | 957 if action in ['link', 'unlink'] and type(args) == type(()): |
| 958 if len(args) == 3: | 958 if len(args) == 3: |
| 959 linkcl, linkid, key = args | 959 linkcl, linkid, key = args |
| 960 arg_s += '<a rel="nofollow" href="%s%s">%s%s %s</a>'%(linkcl, linkid, | 960 arg_s += '<a rel="nofollow noopener" href="%s%s">%s%s %s</a>'%(linkcl, linkid, |
| 961 linkcl, linkid, key) | 961 linkcl, linkid, key) |
| 962 else: | 962 else: |
| 963 arg_s = str(args) | 963 arg_s = str(args) |
| 964 elif type(args) == type({}): | 964 elif type(args) == type({}): |
| 965 cell = [] | 965 cell = [] |
| 995 raise NoTemplate('not really...') | 995 raise NoTemplate('not really...') |
| 996 except NoTemplate: | 996 except NoTemplate: |
| 997 pass | 997 pass |
| 998 else: | 998 else: |
| 999 linkid = self._klass.get(self._nodeid, k, None) | 999 linkid = self._klass.get(self._nodeid, k, None) |
| 1000 current[k] = '<a rel="nofollow" href="%s%s">%s</a>'%( | 1000 current[k] = '<a rel="nofollow noopener" href="%s%s">%s</a>'%( |
| 1001 classname, linkid, current[k]) | 1001 classname, linkid, current[k]) |
| 1002 | 1002 |
| 1003 if args[k] and (isinstance(prop, hyperdb.Multilink) or | 1003 if args[k] and (isinstance(prop, hyperdb.Multilink) or |
| 1004 isinstance(prop, hyperdb.Link)): | 1004 isinstance(prop, hyperdb.Link)): |
| 1005 # figure what the link class is | 1005 # figure what the link class is |
| 1050 "<strike>The linked node" | 1050 "<strike>The linked node" |
| 1051 " no longer exists</strike>") | 1051 " no longer exists</strike>") |
| 1052 subml.append('<strike>%s</strike>'%label) | 1052 subml.append('<strike>%s</strike>'%label) |
| 1053 else: | 1053 else: |
| 1054 if hrefable: | 1054 if hrefable: |
| 1055 subml.append('<a rel="nofollow" ' | 1055 subml.append('<a rel="nofollow noopener" ' |
| 1056 'href="%s%s">%s</a>'%( | 1056 'href="%s%s">%s</a>'%( |
| 1057 classname, linkid, label)) | 1057 classname, linkid, label)) |
| 1058 elif label is None: | 1058 elif label is None: |
| 1059 subml.append('%s%s'%(classname, | 1059 subml.append('%s%s'%(classname, |
| 1060 linkid)) | 1060 linkid)) |
| 1078 cell.append(' <strike>%s</strike>,\n'%label) | 1078 cell.append(' <strike>%s</strike>,\n'%label) |
| 1079 # "flag" this is done .... euwww | 1079 # "flag" this is done .... euwww |
| 1080 label = None | 1080 label = None |
| 1081 if label is not None: | 1081 if label is not None: |
| 1082 if hrefable: | 1082 if hrefable: |
| 1083 old = '<a ref="nofollow" href="%s%s">%s</a>'%(classname, | 1083 old = '<a ref="nofollow noopener" href="%s%s">%s</a>'%(classname, |
| 1084 args[k], label) | 1084 args[k], label) |
| 1085 else: | 1085 else: |
| 1086 old = label; | 1086 old = label; |
| 1087 cell.append('%s: %s' % (self._(k), old)) | 1087 cell.append('%s: %s' % (self._(k), old)) |
| 1088 if k in current and current[k] is not None: | 1088 if k in current and current[k] is not None: |
| 1405 | 1405 |
| 1406 | 1406 |
| 1407 | 1407 |
| 1408 def _hyper_repl(self, match): | 1408 def _hyper_repl(self, match): |
| 1409 if match.group('url'): | 1409 if match.group('url'): |
| 1410 return self._hyper_repl_url(match, '<a href="%s" rel="nofollow">%s</a>%s') | 1410 return self._hyper_repl_url(match, '<a href="%s" rel="nofollow noopener">%s</a>%s') |
| 1411 elif match.group('email'): | 1411 elif match.group('email'): |
| 1412 return self._hyper_repl_email(match, '<a href="mailto:%s">%s</a>') | 1412 return self._hyper_repl_email(match, '<a href="mailto:%s">%s</a>') |
| 1413 elif len(match.group('id')) < 10: | 1413 elif len(match.group('id')) < 10: |
| 1414 return self._hyper_repl_item(match, | 1414 return self._hyper_repl_item(match, |
| 1415 '<a href="%(cls)s%(id)s">%(item)s</a>') | 1415 '<a href="%(cls)s%(id)s">%(item)s</a>') |