Mercurial > p > roundup > code
view website/issues/detectors/newissuecopy.py @ 5684:97e2125e064c
When we generate links from URL's in messages, we add rel="nofollow"
to combat link spam. This change turns that into rel="nofollow
noopener". This prevents the page at the end of the link from having
access to the roundup window that displays the link.
Details on the issue are are at:
https://mathiasbynens.github.io/rel-noopener/
search web for noopener vulnerability. This problem usually requires a
target="_blank" to really exploit it and we don't provide that. But
adding noopener is extra protection.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 30 Mar 2019 21:15:33 -0400 |
| parents | 35ea9b1efc14 |
| children |
line wrap: on
line source
from roundup import roundupdb def newissuecopy(db, cl, nodeid, oldvalues): ''' Copy a message about new issues to a team address. ''' # so use all the messages in the create change_note = cl.generateCreateNote(nodeid) # send a copy to the nosy list for msgid in cl.get(nodeid, 'messages'): try: # note: last arg must be a list cl.send_message(nodeid, msgid, change_note, ['roundup-devel@lists.sourceforge.net']) except roundupdb.MessageSendError as message: raise roundupdb.DetectorError(message) def init(db): db.issue.react('create', newissuecopy) #SHA: 6ed003c947e1f9df148f8f4500b7c2e68a45229b