Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nextcloud/server.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorMarkus Staab <markus.staab@redaxo.de>2017-10-19 13:16:04 +0300
committerMarkus Staab <markus.staab@redaxo.de>2017-10-19 13:16:04 +0300
commitdb34b59238846e5ec046a456b4f76649321571d1 (patch)
tree3efe5a2c81888f6440c43ba6450998f6434ba7ea /core
parent8e25df9690a4d953721dcdc8e61038b332774a10 (diff)
Prevent XSS in links which open a new browser window
Diffstat (limited to 'core')
-rw-r--r--core/js/setupchecks.js18
-rw-r--r--core/js/tests/specs/setupchecksSpec.js22
-rw-r--r--core/templates/installation.php6
-rw-r--r--core/templates/layout.noscript.warning.php2
-rw-r--r--core/templates/update.use-cli.php2
5 files changed, 25 insertions, 25 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index 5e8ef9e6961..99e3c72d2d4 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -66,7 +66,7 @@
if (xhr.status !== 207) {
var docUrl = placeholderUrl.replace('PLACEHOLDER', 'admin-setup-well-known-URL');
messages.push({
- msg: t('core', 'Your web server is not set up properly to resolve "{url}". Further information can be found in our <a target="_blank" rel="noreferrer" href="{docLink}">documentation</a>.', { docLink: docUrl, url: url }),
+ msg: t('core', 'Your web server is not set up properly to resolve "{url}". Further information can be found in our <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', { docLink: docUrl, url: url }),
type: OC.SetupChecks.MESSAGE_TYPE_INFO
});
}
@@ -100,13 +100,13 @@
}
if(!data.isMemcacheConfigured) {
messages.push({
- msg: t('core', 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our <a target="_blank" rel="noreferrer" href="{docLink}">documentation</a>.', {docLink: data.memcacheDocs}),
+ msg: t('core', 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', {docLink: data.memcacheDocs}),
type: OC.SetupChecks.MESSAGE_TYPE_INFO
});
}
if(!data.isUrandomAvailable) {
messages.push({
- msg: t('core', '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our <a target="_blank" rel="noreferrer" href="{docLink}">documentation</a>.', {docLink: data.securityDocs}),
+ msg: t('core', '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', {docLink: data.securityDocs}),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
@@ -118,19 +118,19 @@
}
if(data.phpSupported && data.phpSupported.eol) {
messages.push({
- msg: t('core', 'You are currently running PHP {version}. We encourage you to upgrade your PHP version to take advantage of <a target="_blank" rel="noreferrer" href="{phpLink}">performance and security updates provided by the PHP Group</a> as soon as your distribution supports it.', {version: data.phpSupported.version, phpLink: 'https://secure.php.net/supported-versions.php'}),
+ msg: t('core', 'You are currently running PHP {version}. We encourage you to upgrade your PHP version to take advantage of <a target="_blank" rel="noreferrer noopener" href="{phpLink}">performance and security updates provided by the PHP Group</a> as soon as your distribution supports it.', {version: data.phpSupported.version, phpLink: 'https://secure.php.net/supported-versions.php'}),
type: OC.SetupChecks.MESSAGE_TYPE_INFO
});
}
if(!data.forwardedForHeadersWorking) {
messages.push({
- msg: t('core', 'The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud. Further information can be found in our <a target="_blank" rel="noreferrer" href="{docLink}">documentation</a>.', {docLink: data.reverseProxyDocs}),
+ msg: t('core', 'The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud. Further information can be found in our <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', {docLink: data.reverseProxyDocs}),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
if(!data.isCorrectMemcachedPHPModuleInstalled) {
messages.push({
- msg: t('core', 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the <a target="_blank" rel="noreferrer" href="{wikiLink}">memcached wiki about both modules</a>.', {wikiLink: 'https://code.google.com/p/memcached/wiki/PHPClientComparison'}),
+ msg: t('core', 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the <a target="_blank" rel="noreferrer noopener" href="{wikiLink}">memcached wiki about both modules</a>.', {wikiLink: 'https://code.google.com/p/memcached/wiki/PHPClientComparison'}),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
@@ -138,7 +138,7 @@
messages.push({
msg: t(
'core',
- 'Some files have not passed the integrity check. Further information on how to resolve this issue can be found in our <a target="_blank" rel="noreferrer" href="{docLink}">documentation</a>. (<a href="{codeIntegrityDownloadEndpoint}">List of invalid files…</a> / <a href="{rescanEndpoint}">Rescan…</a>)',
+ 'Some files have not passed the integrity check. Further information on how to resolve this issue can be found in our <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>. (<a href="{codeIntegrityDownloadEndpoint}">List of invalid files…</a> / <a href="{rescanEndpoint}">Rescan…</a>)',
{
docLink: data.codeIntegrityCheckerDocumentation,
codeIntegrityDownloadEndpoint: OC.generateUrl('/settings/integrity/failed'),
@@ -152,7 +152,7 @@
messages.push({
msg: t(
'core',
- 'The PHP OPcache is not properly configured. <a target="_blank" rel="noreferrer" href="{docLink}">For better performance we recommend</a> to use following settings in the <code>php.ini</code>:',
+ 'The PHP OPcache is not properly configured. <a target="_blank" rel="noreferrer noopener" href="{docLink}">For better performance we recommend</a> to use following settings in the <code>php.ini</code>:',
{
docLink: data.phpOpcacheDocumentation,
}
@@ -300,7 +300,7 @@
var minimumSeconds = 15552000;
if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {
messages.push({
- msg: t('core', 'The "Strict-Transport-Security" HTTP header is not configured to at least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}" rel="noreferrer">security tips</a>.', {'seconds': minimumSeconds, docUrl: tipsUrl}),
+ msg: t('core', 'The "Strict-Transport-Security" HTTP header is not configured to at least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}" rel="noreferrer noopener">security tips</a>.', {'seconds': minimumSeconds, docUrl: tipsUrl}),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js
index 35279f3501e..3df676099b7 100644
--- a/core/js/tests/specs/setupchecksSpec.js
+++ b/core/js/tests/specs/setupchecksSpec.js
@@ -68,7 +68,7 @@ describe('OC.SetupChecks tests', function() {
async.done(function( data, s, x ){
expect(data).toEqual([{
- msg: 'Your web server is not set up properly to resolve "/.well-known/caldav/". Further information can be found in our <a href="http://example.org/admin-setup-well-known-URL" rel="noreferrer">documentation</a>.',
+ msg: 'Your web server is not set up properly to resolve "/.well-known/caldav/". Further information can be found in our <a href="http://example.org/admin-setup-well-known-URL" rel="noreferrer noopener">documentation</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}]);
done();
@@ -166,7 +166,7 @@ describe('OC.SetupChecks tests', function() {
msg: 'This server has no working Internet connection: Multiple endpoints could not be reached. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. We suggest to enable Internet connection for this server if you want to have all features.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}, {
- msg: 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our <a href="https://docs.nextcloud.com/server/go.php?to=admin-performance" rel="noreferrer">documentation</a>.',
+ msg: 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our <a href="https://docs.nextcloud.com/server/go.php?to=admin-performance" rel="noreferrer noopener">documentation</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}]);
done();
@@ -200,7 +200,7 @@ describe('OC.SetupChecks tests', function() {
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
},
{
- msg: 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our <a href="https://docs.nextcloud.com/server/go.php?to=admin-performance" rel="noreferrer">documentation</a>.',
+ msg: 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our <a href="https://docs.nextcloud.com/server/go.php?to=admin-performance" rel="noreferrer noopener">documentation</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}]);
done();
@@ -261,7 +261,7 @@ describe('OC.SetupChecks tests', function() {
async.done(function( data, s, x ){
expect(data).toEqual([{
- msg: '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our <a href="https://docs.owncloud.org/myDocs.html" rel="noreferrer">documentation</a>.',
+ msg: '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our <a href="https://docs.owncloud.org/myDocs.html" rel="noreferrer noopener">documentation</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
@@ -291,7 +291,7 @@ describe('OC.SetupChecks tests', function() {
async.done(function( data, s, x ){
expect(data).toEqual([{
- msg: 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the <a href="https://code.google.com/p/memcached/wiki/PHPClientComparison" rel="noreferrer">memcached wiki about both modules</a>.',
+ msg: 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the <a href="https://code.google.com/p/memcached/wiki/PHPClientComparison" rel="noreferrer noopener">memcached wiki about both modules</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
@@ -321,7 +321,7 @@ describe('OC.SetupChecks tests', function() {
async.done(function( data, s, x ){
expect(data).toEqual([{
- msg: 'The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud. Further information can be found in our <a href="https://docs.owncloud.org/foo/bar.html" rel="noreferrer">documentation</a>.',
+ msg: 'The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud. Further information can be found in our <a href="https://docs.owncloud.org/foo/bar.html" rel="noreferrer noopener">documentation</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
@@ -402,7 +402,7 @@ describe('OC.SetupChecks tests', function() {
async.done(function( data, s, x ){
expect(data).toEqual([{
- msg: 'You are currently running PHP 5.4.0. We encourage you to upgrade your PHP version to take advantage of <a href="https://secure.php.net/supported-versions.php" rel="noreferrer">performance and security updates provided by the PHP Group</a> as soon as your distribution supports it.',
+ msg: 'You are currently running PHP 5.4.0. We encourage you to upgrade your PHP version to take advantage of <a href="https://secure.php.net/supported-versions.php" rel="noreferrer noopener">performance and security updates provided by the PHP Group</a> as soon as your distribution supports it.',
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}]);
done();
@@ -433,7 +433,7 @@ describe('OC.SetupChecks tests', function() {
async.done(function( data, s, x ){
expect(data).toEqual([{
- msg: 'The PHP OPcache is not properly configured. <a href="https://example.org/link/to/doc" rel="noreferrer">For better performance we recommend</a> to use following settings in the <code>php.ini</code>:' + "<pre><code>opcache.enable=1\nopcache.enable_cli=1\nopcache.interned_strings_buffer=8\nopcache.max_accelerated_files=10000\nopcache.memory_consumption=128\nopcache.save_comments=1\nopcache.revalidate_freq=1</code></pre>",
+ msg: 'The PHP OPcache is not properly configured. <a href="https://example.org/link/to/doc" rel="noreferrer noopener">For better performance we recommend</a> to use following settings in the <code>php.ini</code>:' + "<pre><code>opcache.enable=1\nopcache.enable_cli=1\nopcache.interned_strings_buffer=8\nopcache.max_accelerated_files=10000\nopcache.memory_consumption=128\nopcache.save_comments=1\nopcache.revalidate_freq=1</code></pre>",
type: OC.SetupChecks.MESSAGE_TYPE_INFO
}]);
done();
@@ -617,7 +617,7 @@ describe('OC.SetupChecks tests', function() {
async.done(function( data, s, x ){
expect(data).toEqual([{
- msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a rel="noreferrer" href="http://localhost/index.php/settings/admin/tips-tricks">security tips</a>.',
+ msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a rel="noreferrer noopener" href="http://localhost/index.php/settings/admin/tips-tricks">security tips</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
@@ -642,7 +642,7 @@ describe('OC.SetupChecks tests', function() {
async.done(function( data, s, x ){
expect(data).toEqual([{
- msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a rel="noreferrer" href="http://localhost/index.php/settings/admin/tips-tricks">security tips</a>.',
+ msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a rel="noreferrer noopener" href="http://localhost/index.php/settings/admin/tips-tricks">security tips</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
@@ -667,7 +667,7 @@ describe('OC.SetupChecks tests', function() {
async.done(function( data, s, x ){
expect(data).toEqual([{
- msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a rel="noreferrer" href="http://localhost/index.php/settings/admin/tips-tricks">security tips</a>.',
+ msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a rel="noreferrer noopener" href="http://localhost/index.php/settings/admin/tips-tricks">security tips</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
diff --git a/core/templates/installation.php b/core/templates/installation.php
index 6a0e3f93857..0d274f0f881 100644
--- a/core/templates/installation.php
+++ b/core/templates/installation.php
@@ -30,7 +30,7 @@ script('core', [
<legend><strong><?php p($l->t('Security warning'));?></strong></legend>
<p><?php p($l->t('Your data directory and files are probably accessible from the internet because the .htaccess file does not work.'));?><br>
<?php print_unescaped($l->t(
- 'For information how to properly configure your server, please see the <a href="%s" target="_blank" rel="noreferrer">documentation</a>.',
+ 'For information how to properly configure your server, please see the <a href="%s" target="_blank" rel="noreferrer noopener">documentation</a>.',
link_to_docs('admin-install')
)); ?></p>
</fieldset>
@@ -84,7 +84,7 @@ script('core', [
<p class="info">
<?php p($l->t( 'Only %s is available.', array($label) )); ?>
<?php p($l->t( 'Install and activate additional PHP modules to choose other database types.' )); ?><br>
- <a href="<?php print_unescaped(link_to_docs('admin-source_install')); ?>" target="_blank" rel="noreferrer">
+ <a href="<?php print_unescaped(link_to_docs('admin-source_install')); ?>" target="_blank" rel="noreferrer noopener">
<?php p($l->t( 'For more details check out the documentation.' )); ?> ↗</a>
</p>
<input type="hidden" id="dbtype" name="dbtype" value="<?php p($type) ?>">
@@ -166,6 +166,6 @@ script('core', [
<p class="info">
<span class="icon-info-white"></span>
<?php p($l->t('Need help?'));?>
- <a target="_blank" rel="noreferrer" href="<?php p(link_to_docs('admin-install')); ?>"><?php p($l->t('See the documentation'));?> ↗</a>
+ <a target="_blank" rel="noreferrer noopener" href="<?php p(link_to_docs('admin-install')); ?>"><?php p($l->t('See the documentation'));?> ↗</a>
</p>
</form>
diff --git a/core/templates/layout.noscript.warning.php b/core/templates/layout.noscript.warning.php
index c7776bd33c4..7d7a32bfbf4 100644
--- a/core/templates/layout.noscript.warning.php
+++ b/core/templates/layout.noscript.warning.php
@@ -3,7 +3,7 @@
<div>
<?php print_unescaped(str_replace(
['{linkstart}', '{linkend}'],
- ['<a href="https://www.enable-javascript.com/" target="_blank" rel="noreferrer">', '</a>'],
+ ['<a href="https://www.enable-javascript.com/" target="_blank" rel="noreferrer noopener">', '</a>'],
$l->t('This application requires JavaScript for correct operation. Please {linkstart}enable JavaScript{linkend} and reload the page.')
)); ?>
</div>
diff --git a/core/templates/update.use-cli.php b/core/templates/update.use-cli.php
index d30e15c8573..06d7e284907 100644
--- a/core/templates/update.use-cli.php
+++ b/core/templates/update.use-cli.php
@@ -8,7 +8,7 @@
p($l->t('Please use the command line updater because automatic updating is disabled in the config.php.'));
} ?><br><br>
<?php
- print_unescaped($l->t('For help, see the <a target="_blank" rel="noreferrer" href="%s">documentation</a>.', [link_to_docs('admin-cli-upgrade')])); ?><br><br>
+ print_unescaped($l->t('For help, see the <a target="_blank" rel="noreferrer noopener" href="%s">documentation</a>.', [link_to_docs('admin-cli-upgrade')])); ?><br><br>
</div>
</div>
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-16 01:33:40 +0300