Mercurial > p > roundup > code
comparison test/test_templating.py @ 5684:97e2125e064c
When we generate links from URL's in messages, we add rel="nofollow"
to combat link spam. This change turns that into rel="nofollow
noopener". This prevents the page at the end of the link from having
access to the roundup window that displays the link.
Details on the issue are are at:
https://mathiasbynens.github.io/rel-noopener/
search web for noopener vulnerability. This problem usually requires a
target="_blank" to really exploit it and we don't provide that. But
adding noopener is extra protection.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 30 Mar 2019 21:15:33 -0400 |
| parents | f8893e1cde0d |
| children | 6aad7b194e63 |
comparison
equal
deleted
inserted
replaced
| 5683:7483838ff74d | 5684:97e2125e064c |
|---|---|
| 262 p = StringHTMLProperty(self.client, 'test', '1', None, 'test', '') | 262 p = StringHTMLProperty(self.client, 'test', '1', None, 'test', '') |
| 263 def t(s): return p.hyper_re.sub(p._hyper_repl, s) | 263 def t(s): return p.hyper_re.sub(p._hyper_repl, s) |
| 264 ae = self.assertEqual | 264 ae = self.assertEqual |
| 265 ae(t('item123123123123'), 'item123123123123') | 265 ae(t('item123123123123'), 'item123123123123') |
| 266 ae(t('http://roundup.net/'), | 266 ae(t('http://roundup.net/'), |
| 267 '<a href="http://roundup.net/" rel="nofollow">http://roundup.net/</a>') | 267 '<a href="http://roundup.net/" rel="nofollow noopener">http://roundup.net/</a>') |
| 268 ae(t('<HTTP://roundup.net/>'), | 268 ae(t('<HTTP://roundup.net/>'), |
| 269 '<<a href="HTTP://roundup.net/" rel="nofollow">HTTP://roundup.net/</a>>') | 269 '<<a href="HTTP://roundup.net/" rel="nofollow noopener">HTTP://roundup.net/</a>>') |
| 270 ae(t('<http://roundup.net/>.'), | 270 ae(t('<http://roundup.net/>.'), |
| 271 '<<a href="http://roundup.net/" rel="nofollow">http://roundup.net/</a>>.') | 271 '<<a href="http://roundup.net/" rel="nofollow noopener">http://roundup.net/</a>>.') |
| 272 ae(t('<www.roundup.net>'), | 272 ae(t('<www.roundup.net>'), |
| 273 '<<a href="http://www.roundup.net" rel="nofollow">www.roundup.net</a>>') | 273 '<<a href="http://www.roundup.net" rel="nofollow noopener">www.roundup.net</a>>') |
| 274 ae(t('(www.roundup.net)'), | 274 ae(t('(www.roundup.net)'), |
| 275 '(<a href="http://www.roundup.net" rel="nofollow">www.roundup.net</a>)') | 275 '(<a href="http://www.roundup.net" rel="nofollow noopener">www.roundup.net</a>)') |
| 276 ae(t('foo http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx bar'), | 276 ae(t('foo http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx bar'), |
| 277 'foo <a href="http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx" rel="nofollow">' | 277 'foo <a href="http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx" rel="nofollow noopener">' |
| 278 'http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx</a> bar') | 278 'http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx</a> bar') |
| 279 ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language))'), | 279 ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language))'), |
| 280 '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow">' | 280 '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow noopener">' |
| 281 'http://en.wikipedia.org/wiki/Python_(programming_language)</a>)') | 281 'http://en.wikipedia.org/wiki/Python_(programming_language)</a>)') |
| 282 ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language)).'), | 282 ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language)).'), |
| 283 '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow">' | 283 '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow noopener">' |
| 284 'http://en.wikipedia.org/wiki/Python_(programming_language)</a>).') | 284 'http://en.wikipedia.org/wiki/Python_(programming_language)</a>).') |
| 285 ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language))>.'), | 285 ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language))>.'), |
| 286 '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow">' | 286 '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow noopener">' |
| 287 'http://en.wikipedia.org/wiki/Python_(programming_language)</a>)>.') | 287 'http://en.wikipedia.org/wiki/Python_(programming_language)</a>)>.') |
| 288 ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language>)).'), | 288 ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language>)).'), |
| 289 '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language" rel="nofollow">' | 289 '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language" rel="nofollow noopener">' |
| 290 'http://en.wikipedia.org/wiki/Python_(programming_language</a>>)).') | 290 'http://en.wikipedia.org/wiki/Python_(programming_language</a>>)).') |
| 291 for c in '.,;:!': | 291 for c in '.,;:!': |
| 292 # trailing punctuation is not included | 292 # trailing punctuation is not included |
| 293 ae(t('http://roundup.net/%c ' % c), | 293 ae(t('http://roundup.net/%c ' % c), |
| 294 '<a href="http://roundup.net/" rel="nofollow">http://roundup.net/</a>%c ' % c) | 294 '<a href="http://roundup.net/" rel="nofollow noopener">http://roundup.net/</a>%c ' % c) |
| 295 # but it's included if it's part of the URL | 295 # but it's included if it's part of the URL |
| 296 ae(t('http://roundup.net/%c/' % c), | 296 ae(t('http://roundup.net/%c/' % c), |
| 297 '<a href="http://roundup.net/%c/" rel="nofollow">http://roundup.net/%c/</a>' % (c, c)) | 297 '<a href="http://roundup.net/%c/" rel="nofollow noopener">http://roundup.net/%c/</a>' % (c, c)) |
| 298 | 298 |
| 299 ''' | 299 ''' |
| 300 class HTMLPermissions: | 300 class HTMLPermissions: |
| 301 def is_edit_ok(self): | 301 def is_edit_ok(self): |
| 302 def is_view_ok(self): | 302 def is_view_ok(self): |