Mirrors/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-11-24 11:52:34 +01:00
Code Issues Releases Wiki Activity

Fixes minor vulnerability when using target="_blank" on links (RSPEC-5148)

Browse Source
This commit is contained in:
Nickolas Gupton 2021-05-24 16:17:08 -04:00
parent df0e03cd07
commit 7a6f21648a
7 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
resources/views/api-docs/index.blade.php
View File

@ -190,7 +190,7 @@
<h5 id="{{ $endpoint['name'] }}" class="text-mono mb-m"> <h5 id="{{ $endpoint['name'] }}" class="text-mono mb-m">
<span class="api-method" data-method="{{ $endpoint['method'] }}">{{ $endpoint['method'] }}</span> <span class="api-method" data-method="{{ $endpoint['method'] }}">{{ $endpoint['method'] }}</span>
@if($endpoint['controller_method_kebab'] === 'list') @if($endpoint['controller_method_kebab'] === 'list')
<a style="color: inherit;" target="_blank" href="{{ url($endpoint['uri']) }}">{{ url($endpoint['uri']) }}</a> <a style="color: inherit;" target="_blank" rel="noopener" href="{{ url($endpoint['uri']) }}">{{ url($endpoint['uri']) }}</a>
@else @else
{{ url($endpoint['uri']) }} {{ url($endpoint['uri']) }}
@endif @endif

2
resources/views/attachments/manager-list.blade.php
View File

@ -7,7 +7,7 @@
class="card drag-card"> class="card drag-card">
<div class="handle">@icon('grip')</div> <div class="handle">@icon('grip')</div>
<div class="py-s"> <div class="py-s">
<a href="{{ $attachment->getUrl() }}" target="_blank">{{ $attachment->name }}</a> <a href="{{ $attachment->getUrl() }}" target="_blank" rel="noopener">{{ $attachment->name }}</a>
</div> </div>
<div class="flex-fill justify-flex-end"> <div class="flex-fill justify-flex-end">
<button component="event-emit-select" <button component="event-emit-select"

2
resources/views/common/footer.blade.php
View File

@ -1,7 +1,7 @@
@if(count(setting('app-footer-links', [])) > 0) @if(count(setting('app-footer-links', [])) > 0)
<footer> <footer>
@foreach(setting('app-footer-links', []) as $link) @foreach(setting('app-footer-links', []) as $link)
<a href="{{ $link['url'] }}" target="_blank">{{ strpos($link['label'], 'trans::') === 0 ? trans(str_replace('trans::', '', $link['label'])) : $link['label'] }}</a> <a href="{{ $link['url'] }}" target="_blank" rel="noopener">{{ strpos($link['label'], 'trans::') === 0 ? trans(str_replace('trans::', '', $link['label'])) : $link['label'] }}</a>
@endforeach @endforeach
</footer> </footer>
@endif @endif

3
resources/views/components/image-manager-form.blade.php
View File

@ -7,7 +7,7 @@
option:ajax-form:url="{{ url('images/' . $image->id) }}"> option:ajax-form:url="{{ url('images/' . $image->id) }}">
<div class="image-manager-viewer"> <div class="image-manager-viewer">
<a href="{{ $image->url }}" target="_blank" class="block"> <a href="{{ $image->url }}" target="_blank" rel="noopener" class="block">
<img src="{{ $image->thumbs['display'] }}" <img src="{{ $image->thumbs['display'] }}"
alt="{{ $image->name }}" alt="{{ $image->name }}"
class="anim fadeIn" class="anim fadeIn"
@ -40,6 +40,7 @@
<li> <li>
<a href="{{ $page->url }}" <a href="{{ $page->url }}"
target="_blank" target="_blank"
rel="noopener"
class="text-neg">{{ $page->name }}</a> class="text-neg">{{ $page->name }}</a>
</li> </li>
@endforeach @endforeach

2
resources/views/components/page-picker.blade.php
View File

@ -3,7 +3,7 @@
<div page-picker> <div page-picker>
<div class="input-base"> <div class="input-base">
<span @if($value) style="display: none" @endif page-picker-default class="text-muted italic">{{ $placeholder }}</span> <span @if($value) style="display: none" @endif page-picker-default class="text-muted italic">{{ $placeholder }}</span>
<a @if(!$value) style="display: none" @endif href="{{ url('/link/' . $value) }}" target="_blank" class="text-page" page-picker-display>#{{$value}}, {{$value ? \BookStack\Entities\Models\Page::find($value)->name : '' }}</a> <a @if(!$value) style="display: none" @endif href="{{ url('/link/' . $value) }}" target="_blank" rel="noopener" class="text-page" page-picker-display>#{{$value}}, {{$value ? \BookStack\Entities\Models\Page::find($value)->name : '' }}</a>
</div> </div>
<br> <br>
<input type="hidden" value="{{$value}}" name="{{$name}}" id="{{$name}}"> <input type="hidden" value="{{$value}}" name="{{$name}}" id="{{$name}}">

6
resources/views/pages/revisions.blade.php
View File

@ -41,14 +41,14 @@
<td><small>{{ $revision->created_at->formatLocalized('%e %B %Y %H:%M:%S') }} <br> ({{ $revision->created_at->diffForHumans() }})</small></td> <td><small>{{ $revision->created_at->formatLocalized('%e %B %Y %H:%M:%S') }} <br> ({{ $revision->created_at->diffForHumans() }})</small></td>
<td>{{ $revision->summary }}</td> <td>{{ $revision->summary }}</td>
<td class="actions"> <td class="actions">
<a href="{{ $revision->getUrl('changes') }}" target="_blank">{{ trans('entities.pages_revisions_changes') }}</a> <a href="{{ $revision->getUrl('changes') }}" target="_blank" rel="noopener">{{ trans('entities.pages_revisions_changes') }}</a>
<span class="text-muted">&nbsp;|&nbsp;</span> <span class="text-muted">&nbsp;|&nbsp;</span>
@if ($index === 0) @if ($index === 0)
<a target="_blank" href="{{ $page->getUrl() }}"><i>{{ trans('entities.pages_revisions_current') }}</i></a> <a target="_blank" rel="noopener" href="{{ $page->getUrl() }}"><i>{{ trans('entities.pages_revisions_current') }}</i></a>
@else @else
<a href="{{ $revision->getUrl() }}" target="_blank">{{ trans('entities.pages_revisions_preview') }}</a> <a href="{{ $revision->getUrl() }}" target="_blank" rel="noopener">{{ trans('entities.pages_revisions_preview') }}</a>
<span class="text-muted">&nbsp;|&nbsp;</span> <span class="text-muted">&nbsp;|&nbsp;</span>
<div component="dropdown" class="dropdown-container"> <div component="dropdown" class="dropdown-container">
<a refs="dropdown@toggle" href="#" aria-haspopup="true" aria-expanded="false">{{ trans('entities.pages_revisions_restore') }}</a> <a refs="dropdown@toggle" href="#" aria-haspopup="true" aria-expanded="false">{{ trans('entities.pages_revisions_restore') }}</a>

6
resources/views/partials/entity-export-menu.blade.php
View File

@ -5,8 +5,8 @@
<span>{{ trans('entities.export') }}</span> <span>{{ trans('entities.export') }}</span>
</div> </div>
<ul refs="dropdown@menu" class="wide dropdown-menu" role="menu"> <ul refs="dropdown@menu" class="wide dropdown-menu" role="menu">
<li><a href="{{ $entity->getUrl('/export/html') }}" target="_blank">{{ trans('entities.export_html') }} <span class="text-muted float right">.html</span></a></li> <li><a href="{{ $entity->getUrl('/export/html') }}" target="_blank" rel="noopener">{{ trans('entities.export_html') }} <span class="text-muted float right">.html</span></a></li>
<li><a href="{{ $entity->getUrl('/export/pdf') }}" target="_blank">{{ trans('entities.export_pdf') }} <span class="text-muted float right">.pdf</span></a></li> <li><a href="{{ $entity->getUrl('/export/pdf') }}" target="_blank" rel="noopener">{{ trans('entities.export_pdf') }} <span class="text-muted float right">.pdf</span></a></li>
<li><a href="{{ $entity->getUrl('/export/plaintext') }}" target="_blank">{{ trans('entities.export_text') }} <span class="text-muted float right">.txt</span></a></li> <li><a href="{{ $entity->getUrl('/export/plaintext') }}" target="_blank" rel="noopener">{{ trans('entities.export_text') }} <span class="text-muted float right">.txt</span></a></li>
</ul> </ul>
</div> </div>