From db34b59238846e5ec046a456b4f76649321571d1 Mon Sep 17 00:00:00 2001
From: Markus Staab <markus.staab@redaxo.de>
Date: Thu, 19 Oct 2017 12:16:04 +0200
Subject: Prevent XSS in links which open a new browser window

---
 apps/federatedfilesharing/templates/settings-admin.php    | 2 +-
 apps/federatedfilesharing/templates/settings-personal.php | 4 ++--
 apps/files/templates/appnavigation.php                    | 2 +-
 apps/theming/lib/ThemingDefaults.php                      | 2 +-
 apps/theming/tests/ThemingDefaultsTest.php                | 4 ++--
 apps/user_ldap/templates/part.settingcontrols.php         | 2 +-
 apps/user_ldap/templates/part.wizardcontrols.php          | 2 +-
 apps/workflowengine/templates/admin.php                   | 2 +-
 8 files changed, 10 insertions(+), 10 deletions(-)

(limited to 'apps')

diff --git a/apps/federatedfilesharing/templates/settings-admin.php b/apps/federatedfilesharing/templates/settings-admin.php
index 7fe1b5f62e6..8d04169ea89 100644
--- a/apps/federatedfilesharing/templates/settings-admin.php
+++ b/apps/federatedfilesharing/templates/settings-admin.php
@@ -8,7 +8,7 @@ script('federatedfilesharing', 'settings-admin');
 
 <div id="fileSharingSettings" class="followupsection">
 	<h3><?php p($l->t('Federated Cloud Sharing'));?></h3>
-	<a target="_blank" rel="noreferrer" class="icon-info svg"
+	<a target="_blank" rel="noreferrer noopener" class="icon-info svg"
 		title="<?php p($l->t('Open documentation'));?>"
 		href="<?php p(link_to_docs('admin-sharing-federated')); ?>"></a>
 	<p class="settings-hint"><?php p($l->t('Adjust how people can share between servers.')); ?></p>
diff --git a/apps/federatedfilesharing/templates/settings-personal.php b/apps/federatedfilesharing/templates/settings-personal.php
index 26365d2b70c..89f7b1eb1e7 100644
--- a/apps/federatedfilesharing/templates/settings-personal.php
+++ b/apps/federatedfilesharing/templates/settings-personal.php
@@ -43,7 +43,7 @@ style('federatedfilesharing', 'settings-personal');
 
 		<div class="hidden" id="oca-files-sharing-add-to-your-website-expanded">
 		<p style="margin: 10px 0">
-			<a target="_blank" rel="noreferrer" href="<?php p($_['reference']); ?>"
+			<a target="_blank" rel="noreferrer noopener" href="<?php p($_['reference']); ?>"
 				style="padding:10px;background-color:<?php p($_['color']); ?>;color:<?php p($_['textColor']); ?>;border-radius:3px;padding-left:4px;">
 				<span style="background-image:url(<?php p(\OC::$server->getURLGenerator()->getAbsoluteURL($_['logoPath'])); ?>);width:50px;height:30px;position:relative;top:8px;background-size:contain;display:inline-block;background-repeat:no-repeat; background-position: center center;"></span>
 				<?php p($l->t('Share with me via Nextcloud')); ?>
@@ -52,7 +52,7 @@ style('federatedfilesharing', 'settings-personal');
 
 		<p>
 			<?php p($l->t('HTML Code:')); ?>
-			<xmp><a target="_blank" rel="noreferrer" href="<?php p($_['reference']); ?>" style="padding:10px;background-color:<?php p($_['color']); ?>;color:<?php p($_['textColor']); ?>;border-radius:3px;padding-left:4px;">
+			<xmp><a target="_blank" rel="noreferrer noopener" href="<?php p($_['reference']); ?>" style="padding:10px;background-color:<?php p($_['color']); ?>;color:<?php p($_['textColor']); ?>;border-radius:3px;padding-left:4px;">
 <span style="background-image:url(<?php p(\OC::$server->getURLGenerator()->getAbsoluteURL($_['logoPath'])); ?>);width:50px;height:30px;position:relative;top:8px;background-size:contain;display:inline-block;background-repeat:no-repeat; background-position: center center;"></span>
 <?php p($l->t('Share with me via Nextcloud')); ?></a></xmp>
 		</p>
diff --git a/apps/files/templates/appnavigation.php b/apps/files/templates/appnavigation.php
index 6a7b4e4b11e..f3bf0334b55 100644
--- a/apps/files/templates/appnavigation.php
+++ b/apps/files/templates/appnavigation.php
@@ -42,7 +42,7 @@
 			</div>
 			<label for="webdavurl"><?php p($l->t('WebDAV'));?></label>
 			<input id="webdavurl" type="text" readonly="readonly" value="<?php p(\OCP\Util::linkToRemote('webdav')); ?>" />
-			<em><?php print_unescaped($l->t('Use this address to <a href="%s" target="_blank" rel="noreferrer">access your Files via WebDAV</a>', array(link_to_docs('user-webdav'))));?></em>
+			<em><?php print_unescaped($l->t('Use this address to <a href="%s" target="_blank" rel="noreferrer noopener">access your Files via WebDAV</a>', array(link_to_docs('user-webdav'))));?></em>
 		</div>
 	</div>
 </div>
diff --git a/apps/theming/lib/ThemingDefaults.php b/apps/theming/lib/ThemingDefaults.php
index 6ee546d2630..97e889a2140 100644
--- a/apps/theming/lib/ThemingDefaults.php
+++ b/apps/theming/lib/ThemingDefaults.php
@@ -134,7 +134,7 @@ class ThemingDefaults extends \OC_Defaults {
 	public function getShortFooter() {
 		$slogan = $this->getSlogan();
 		$footer = '<a href="'. $this->getBaseUrl() . '" target="_blank"' .
-			' rel="noreferrer">' .$this->getEntity() . '</a>'.
+			' rel="noreferrer noopener">' .$this->getEntity() . '</a>'.
 			($slogan !== '' ? ' – ' . $slogan : '');
 
 		return $footer;
diff --git a/apps/theming/tests/ThemingDefaultsTest.php b/apps/theming/tests/ThemingDefaultsTest.php
index abd85a612c9..6fbf3a2529d 100644
--- a/apps/theming/tests/ThemingDefaultsTest.php
+++ b/apps/theming/tests/ThemingDefaultsTest.php
@@ -217,7 +217,7 @@ class ThemingDefaultsTest extends TestCase {
 				['theming', 'slogan', $this->defaults->getSlogan(), 'Slogan'],
 			]);
 
-		$this->assertEquals('<a href="url" target="_blank" rel="noreferrer">Name</a> – Slogan', $this->template->getShortFooter());
+		$this->assertEquals('<a href="url" target="_blank" rel="noreferrer noopener">Name</a> – Slogan', $this->template->getShortFooter());
 	}
 
 	public function testGetShortFooterEmptySlogan() {
@@ -230,7 +230,7 @@ class ThemingDefaultsTest extends TestCase {
 				['theming', 'slogan', $this->defaults->getSlogan(), ''],
 			]);
 
-		$this->assertEquals('<a href="url" target="_blank" rel="noreferrer">Name</a>', $this->template->getShortFooter());
+		$this->assertEquals('<a href="url" target="_blank" rel="noreferrer noopener">Name</a>', $this->template->getShortFooter());
 	}
 
 	public function testgetColorPrimaryWithDefault() {
diff --git a/apps/user_ldap/templates/part.settingcontrols.php b/apps/user_ldap/templates/part.settingcontrols.php
index 3f7a53dd4dc..a418885f47e 100644
--- a/apps/user_ldap/templates/part.settingcontrols.php
+++ b/apps/user_ldap/templates/part.settingcontrols.php
@@ -3,7 +3,7 @@
 		<?php p($l->t('Test Configuration'));?>
 	</button>
 	<a href="<?php p(link_to_docs('admin-ldap')); ?>"
-		target="_blank" rel="noreferrer">
+		target="_blank" rel="noreferrer noopener">
 		<img src="<?php print_unescaped(image_path('', 'actions/info.svg')); ?>"
 			style="height:1.75ex" />
 		<?php p($l->t('Help'));?>
diff --git a/apps/user_ldap/templates/part.wizardcontrols.php b/apps/user_ldap/templates/part.wizardcontrols.php
index 2df1fd8d83f..89eb96827e6 100644
--- a/apps/user_ldap/templates/part.wizardcontrols.php
+++ b/apps/user_ldap/templates/part.wizardcontrols.php
@@ -9,7 +9,7 @@
 		<?php p($l->t('Continue'));?>
 	</button>
 	<a href="<?php p(link_to_docs('admin-ldap')); ?>"
-		target="_blank" rel="noreferrer">
+		target="_blank" rel="noreferrer noopener">
 		<img src="<?php print_unescaped(image_path('', 'actions/info.svg')); ?>"
 			style="height:1.75ex" />
 		<span class="ldap_grey"><?php p($l->t('Help'));?></span>
diff --git a/apps/workflowengine/templates/admin.php b/apps/workflowengine/templates/admin.php
index 4f4dab4043f..e9873f8f289 100644
--- a/apps/workflowengine/templates/admin.php
+++ b/apps/workflowengine/templates/admin.php
@@ -25,7 +25,7 @@
 <div id="<?php p($_['appid']); ?>" class="section workflowengine">
 	<h2 class="inlineblock"><?php p($_['heading']); ?></h2>
 	<?php if (!empty($_['docs'])): ?>
-		<a target="_blank" rel="noreferrer" class="icon-info svg"
+		<a target="_blank" rel="noreferrer noopener" class="icon-info svg"
 		   title="<?php p($l->t('Open documentation'));?>"
 		   href="<?php p(link_to_docs($_['docs'])); ?>">
 		</a>
-- 
cgit v1.2.3