Mercurial > p > roundup > code
diff test/test_templating.py @ 5684:97e2125e064c
When we generate links from URL's in messages, we add rel="nofollow"
to combat link spam. This change turns that into rel="nofollow
noopener". This prevents the page at the end of the link from having
access to the roundup window that displays the link.
Details on the issue are are at:
https://mathiasbynens.github.io/rel-noopener/
search web for noopener vulnerability. This problem usually requires a
target="_blank" to really exploit it and we don't provide that. But
adding noopener is extra protection.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 30 Mar 2019 21:15:33 -0400 |
| parents | f8893e1cde0d |
| children | 6aad7b194e63 |
line wrap: on
line diff
--- a/test/test_templating.py Sat Mar 30 16:19:00 2019 -0400 +++ b/test/test_templating.py Sat Mar 30 21:15:33 2019 -0400 @@ -264,37 +264,37 @@ ae = self.assertEqual ae(t('item123123123123'), 'item123123123123') ae(t('http://roundup.net/'), - '<a href="http://roundup.net/" rel="nofollow">http://roundup.net/</a>') + '<a href="http://roundup.net/" rel="nofollow noopener">http://roundup.net/</a>') ae(t('<HTTP://roundup.net/>'), - '<<a href="HTTP://roundup.net/" rel="nofollow">HTTP://roundup.net/</a>>') + '<<a href="HTTP://roundup.net/" rel="nofollow noopener">HTTP://roundup.net/</a>>') ae(t('<http://roundup.net/>.'), - '<<a href="http://roundup.net/" rel="nofollow">http://roundup.net/</a>>.') + '<<a href="http://roundup.net/" rel="nofollow noopener">http://roundup.net/</a>>.') ae(t('<www.roundup.net>'), - '<<a href="http://www.roundup.net" rel="nofollow">www.roundup.net</a>>') + '<<a href="http://www.roundup.net" rel="nofollow noopener">www.roundup.net</a>>') ae(t('(www.roundup.net)'), - '(<a href="http://www.roundup.net" rel="nofollow">www.roundup.net</a>)') + '(<a href="http://www.roundup.net" rel="nofollow noopener">www.roundup.net</a>)') ae(t('foo http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx bar'), - 'foo <a href="http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx" rel="nofollow">' + 'foo <a href="http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx" rel="nofollow noopener">' 'http://msdn.microsoft.com/en-us/library/ms741540(VS.85).aspx</a> bar') ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language))'), - '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow">' + '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow noopener">' 'http://en.wikipedia.org/wiki/Python_(programming_language)</a>)') ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language)).'), - '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow">' + '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow noopener">' 'http://en.wikipedia.org/wiki/Python_(programming_language)</a>).') ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language))>.'), - '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow">' + '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language)" rel="nofollow noopener">' 'http://en.wikipedia.org/wiki/Python_(programming_language)</a>)>.') ae(t('(e.g. http://en.wikipedia.org/wiki/Python_(programming_language>)).'), - '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language" rel="nofollow">' + '(e.g. <a href="http://en.wikipedia.org/wiki/Python_(programming_language" rel="nofollow noopener">' 'http://en.wikipedia.org/wiki/Python_(programming_language</a>>)).') for c in '.,;:!': # trailing punctuation is not included ae(t('http://roundup.net/%c ' % c), - '<a href="http://roundup.net/" rel="nofollow">http://roundup.net/</a>%c ' % c) + '<a href="http://roundup.net/" rel="nofollow noopener">http://roundup.net/</a>%c ' % c) # but it's included if it's part of the URL ae(t('http://roundup.net/%c/' % c), - '<a href="http://roundup.net/%c/" rel="nofollow">http://roundup.net/%c/</a>' % (c, c)) + '<a href="http://roundup.net/%c/" rel="nofollow noopener">http://roundup.net/%c/</a>' % (c, c)) ''' class HTMLPermissions: