Mercurial > p > roundup > code

diff roundup/cgi/templating.py @ 5684:97e2125e064c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
When we generate links from URL's in messages, we add rel="nofollow" to combat link spam. This change turns that into rel="nofollow noopener". This prevents the page at the end of the link from having access to the roundup window that displays the link. Details on the issue are are at: https://mathiasbynens.github.io/rel-noopener/ search web for noopener vulnerability. This problem usually requires a target="_blank" to really exploit it and we don't provide that. But adding noopener is extra protection.
author John Rouillard <rouilj@ieee.org>
date Sat, 30 Mar 2019 21:15:33 -0400
parents fea11d05110e
children 1a835db41674
line wrap: on
line diff
--- a/roundup/cgi/templating.py	Sat Mar 30 16:19:00 2019 -0400
+++ b/roundup/cgi/templating.py	Sat Mar 30 21:15:33 2019 -0400
@@ -957,7 +957,7 @@
             if action in ['link', 'unlink'] and type(args) == type(()):
                 if len(args) == 3:
                     linkcl, linkid, key = args
-                    arg_s += '<a rel="nofollow" href="%s%s">%s%s %s</a>'%(linkcl, linkid,
+                    arg_s += '<a rel="nofollow noopener" href="%s%s">%s%s %s</a>'%(linkcl, linkid,
                         linkcl, linkid, key)
                 else:
                     arg_s = str(args)
@@ -997,7 +997,7 @@
                                     pass
                                 else:
                                     linkid = self._klass.get(self._nodeid, k, None)
-                                    current[k] = '<a rel="nofollow" href="%s%s">%s</a>'%(
+                                    current[k] = '<a rel="nofollow noopener" href="%s%s">%s</a>'%(
                                         classname, linkid, current[k])
 
                     if args[k] and (isinstance(prop, hyperdb.Multilink) or
@@ -1052,7 +1052,7 @@
                                     subml.append('<strike>%s</strike>'%label)
                                 else:
                                     if hrefable:
-                                        subml.append('<a rel="nofollow" '
+                                        subml.append('<a rel="nofollow noopener" '
                                                      'href="%s%s">%s</a>'%(
                                             classname, linkid, label))
                                     elif label is None:
@@ -1080,7 +1080,7 @@
                                 label = None
                         if label is not None:
                             if hrefable:
-                                old = '<a ref="nofollow" href="%s%s">%s</a>'%(classname,
+                                old = '<a ref="nofollow noopener" href="%s%s">%s</a>'%(classname,
                                     args[k], label)
                             else:
                                 old = label;
@@ -1407,7 +1407,7 @@
 
     def _hyper_repl(self, match):
         if match.group('url'):
-            return self._hyper_repl_url(match, '<a href="%s" rel="nofollow">%s</a>%s')
+            return self._hyper_repl_url(match, '<a href="%s" rel="nofollow noopener">%s</a>%s')
         elif match.group('email'):
             return self._hyper_repl_email(match, '<a href="mailto:%s">%s</a>')
         elif len(match.group('id')) < 10:
Roundup Issue Tracker: http://roundup-tracker.org/