Commit df99fa8c authored by JC Brand's avatar JC Brand

Use `rel=noopener` with links that contain `target=_blank`...

to prevent potential phishing attacks.

More info here: https://mathiasbynens.github.io/rel-noopener
parent 4f8c46c4
......@@ -7,6 +7,8 @@
encrypted session. [jcbrand]
- Bugfix: RID, SID and JID tokens ignored when `keepalive` set to `true`. [jcbrand]
- Removed the `account.logout` API, instead use `user.logout`. [jcbrand]
- Use `rel=noopener` with links that contain `target=_blank` to prevent potential phishing attacks.
[More info here](https://mathiasbynens.github.io/rel-noopener/) [jcbrand]
- #261 `show_controlbox_by_default` config not working [diditopher]
- #443 HTML5 notifications of received messages [jcbrand]
- #534 Updated Russian translation [badfiles]
......
......@@ -7,7 +7,7 @@
<a class="chatbox-btn toggle-chatbox-button icon-minus" title="{{info_minimize}}"></a>
<div class="chat-title">
{[ if (url) { ]}
<a href="{{url}}" target="_blank" class="user">
<a href="{{url}}" target="_blank" rel="noopener" class="user">
{[ } ]}
{{ title }}
{[ if (url) { ]}
......
......@@ -2,6 +2,6 @@
<span class="reg-feedback"></span>
<label>{{label_domain}}</label>
<input type="text" name="domain" placeholder="{{domain_placeholder}}">
<p class="form-help">{{help_providers}} <a href="{{href_providers}}" class="url" target="_blank">{{help_providers_link}}</a>.</p>
<p class="form-help">{{help_providers}} <a href="{{href_providers}}" class="url" target="_blank" rel="noopener">{{help_providers_link}}</a>.</p>
<input class="pure-button button-primary" type="submit" value="{{label_register}}">
</form>
......@@ -25,7 +25,7 @@
{[ if (otr_status == UNVERIFIED) { ]}
<li><a class="auth-otr" data-scheme="fingerprint" href="#">{{label_verify_with_fingerprints}}</a></li>
{[ } ]}
<li><a href="http://www.cypherpunks.ca/otr/help/3.2.0/levels.php" target="_blank">{{label_whats_this}}</a></li>
<li><a href="http://www.cypherpunks.ca/otr/help/3.2.0/levels.php" target="_blank" rel="noopener">{{label_whats_this}}</a></li>
</ul>
</li>
{[ } ]}
......@@ -43,7 +43,7 @@
for (i=0; i<list.length; i++) {
var prot = list[i].indexOf('http://') === 0 || list[i].indexOf('https://') === 0 ? '' : 'http://';
var escaped_url = encodeURI(decodeURI(list[i])).replace(/[!'()]/g, escape).replace(/\*/g, "%2A");
x = x.replace(list[i], "<a target='_blank' href='" + prot + escaped_url + "'>"+ list[i] + "</a>" );
x = x.replace(list[i], '<a target="_blank" rel="noopener" href="' + prot + escaped_url + '">'+ list[i] + '</a>' );
}
}
$(obj).html(x);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment