mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-10-01 01:36:00 -04:00
Merge pull request #2768 from CorruptComputer/RSPEC-5148-Fixes
[sec] Fixes a few minor vulnerabilies when using target="_blank" on links (RSPEC-5148)
This commit is contained in:
commit
5c8c85a0ff
@ -190,7 +190,7 @@
|
||||
<h5 id="{{ $endpoint['name'] }}" class="text-mono mb-m">
|
||||
<span class="api-method" data-method="{{ $endpoint['method'] }}">{{ $endpoint['method'] }}</span>
|
||||
@if($endpoint['controller_method_kebab'] === 'list')
|
||||
<a style="color: inherit;" target="_blank" href="{{ url($endpoint['uri']) }}">{{ url($endpoint['uri']) }}</a>
|
||||
<a style="color: inherit;" target="_blank" rel="noopener" href="{{ url($endpoint['uri']) }}">{{ url($endpoint['uri']) }}</a>
|
||||
@else
|
||||
{{ url($endpoint['uri']) }}
|
||||
@endif
|
||||
|
@ -7,7 +7,7 @@
|
||||
class="card drag-card">
|
||||
<div class="handle">@icon('grip')</div>
|
||||
<div class="py-s">
|
||||
<a href="{{ $attachment->getUrl() }}" target="_blank">{{ $attachment->name }}</a>
|
||||
<a href="{{ $attachment->getUrl() }}" target="_blank" rel="noopener">{{ $attachment->name }}</a>
|
||||
</div>
|
||||
<div class="flex-fill justify-flex-end">
|
||||
<button component="event-emit-select"
|
||||
|
@ -1,7 +1,7 @@
|
||||
@if(count(setting('app-footer-links', [])) > 0)
|
||||
<footer>
|
||||
@foreach(setting('app-footer-links', []) as $link)
|
||||
<a href="{{ $link['url'] }}" target="_blank">{{ strpos($link['label'], 'trans::') === 0 ? trans(str_replace('trans::', '', $link['label'])) : $link['label'] }}</a>
|
||||
<a href="{{ $link['url'] }}" target="_blank" rel="noopener">{{ strpos($link['label'], 'trans::') === 0 ? trans(str_replace('trans::', '', $link['label'])) : $link['label'] }}</a>
|
||||
@endforeach
|
||||
</footer>
|
||||
@endif
|
@ -7,7 +7,7 @@
|
||||
option:ajax-form:url="{{ url('images/' . $image->id) }}">
|
||||
|
||||
<div class="image-manager-viewer">
|
||||
<a href="{{ $image->url }}" target="_blank" class="block">
|
||||
<a href="{{ $image->url }}" target="_blank" rel="noopener" class="block">
|
||||
<img src="{{ $image->thumbs['display'] }}"
|
||||
alt="{{ $image->name }}"
|
||||
class="anim fadeIn"
|
||||
@ -40,6 +40,7 @@
|
||||
<li>
|
||||
<a href="{{ $page->url }}"
|
||||
target="_blank"
|
||||
rel="noopener"
|
||||
class="text-neg">{{ $page->name }}</a>
|
||||
</li>
|
||||
@endforeach
|
||||
|
@ -3,7 +3,7 @@
|
||||
<div page-picker>
|
||||
<div class="input-base">
|
||||
<span @if($value) style="display: none" @endif page-picker-default class="text-muted italic">{{ $placeholder }}</span>
|
||||
<a @if(!$value) style="display: none" @endif href="{{ url('/link/' . $value) }}" target="_blank" class="text-page" page-picker-display>#{{$value}}, {{$value ? \BookStack\Entities\Models\Page::find($value)->name : '' }}</a>
|
||||
<a @if(!$value) style="display: none" @endif href="{{ url('/link/' . $value) }}" target="_blank" rel="noopener" class="text-page" page-picker-display>#{{$value}}, {{$value ? \BookStack\Entities\Models\Page::find($value)->name : '' }}</a>
|
||||
</div>
|
||||
<br>
|
||||
<input type="hidden" value="{{$value}}" name="{{$name}}" id="{{$name}}">
|
||||
|
@ -41,14 +41,14 @@
|
||||
<td><small>{{ $revision->created_at->formatLocalized('%e %B %Y %H:%M:%S') }} <br> ({{ $revision->created_at->diffForHumans() }})</small></td>
|
||||
<td>{{ $revision->summary }}</td>
|
||||
<td class="actions">
|
||||
<a href="{{ $revision->getUrl('changes') }}" target="_blank">{{ trans('entities.pages_revisions_changes') }}</a>
|
||||
<a href="{{ $revision->getUrl('changes') }}" target="_blank" rel="noopener">{{ trans('entities.pages_revisions_changes') }}</a>
|
||||
<span class="text-muted"> | </span>
|
||||
|
||||
|
||||
@if ($index === 0)
|
||||
<a target="_blank" href="{{ $page->getUrl() }}"><i>{{ trans('entities.pages_revisions_current') }}</i></a>
|
||||
<a target="_blank" rel="noopener" href="{{ $page->getUrl() }}"><i>{{ trans('entities.pages_revisions_current') }}</i></a>
|
||||
@else
|
||||
<a href="{{ $revision->getUrl() }}" target="_blank">{{ trans('entities.pages_revisions_preview') }}</a>
|
||||
<a href="{{ $revision->getUrl() }}" target="_blank" rel="noopener">{{ trans('entities.pages_revisions_preview') }}</a>
|
||||
<span class="text-muted"> | </span>
|
||||
<div component="dropdown" class="dropdown-container">
|
||||
<a refs="dropdown@toggle" href="#" aria-haspopup="true" aria-expanded="false">{{ trans('entities.pages_revisions_restore') }}</a>
|
||||
|
@ -5,8 +5,8 @@
|
||||
<span>{{ trans('entities.export') }}</span>
|
||||
</div>
|
||||
<ul refs="dropdown@menu" class="wide dropdown-menu" role="menu">
|
||||
<li><a href="{{ $entity->getUrl('/export/html') }}" target="_blank">{{ trans('entities.export_html') }} <span class="text-muted float right">.html</span></a></li>
|
||||
<li><a href="{{ $entity->getUrl('/export/pdf') }}" target="_blank">{{ trans('entities.export_pdf') }} <span class="text-muted float right">.pdf</span></a></li>
|
||||
<li><a href="{{ $entity->getUrl('/export/plaintext') }}" target="_blank">{{ trans('entities.export_text') }} <span class="text-muted float right">.txt</span></a></li>
|
||||
<li><a href="{{ $entity->getUrl('/export/html') }}" target="_blank" rel="noopener">{{ trans('entities.export_html') }} <span class="text-muted float right">.html</span></a></li>
|
||||
<li><a href="{{ $entity->getUrl('/export/pdf') }}" target="_blank" rel="noopener">{{ trans('entities.export_pdf') }} <span class="text-muted float right">.pdf</span></a></li>
|
||||
<li><a href="{{ $entity->getUrl('/export/plaintext') }}" target="_blank" rel="noopener">{{ trans('entities.export_text') }} <span class="text-muted float right">.txt</span></a></li>
|
||||
</ul>
|
||||
</div>
|
Loading…
Reference in New Issue
Block a user