mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-22 16:36:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

referer: HTML5 browsers no longer leak pad through HTTP referer header

Browse source 
Added `rel="noreferrer"` to automatically generated links in the main pad window
as well as the chat window.

`rel="noreferrer"` is part of the HTML5 standard. While browser support isn't
100%, it's better than nothing. Future alternative solutions with wider browser
support, such as intermediary redirect pages, are unaffected by this change.

https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer

This commit was originally part of https://github.com/ether/etherpad-lite/pull/2498
This commit is contained in:
Joel Purra 2015-01-27 12:11:07 +01:00 committed by ahmadine
parent 14d81ecef8
commit b42a58748f
2 changed files with 8 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/static/js/domline.js
View file

@ -198,7 +198,10 @@ domline.createDomLine = function(nonEmpty, doesWrap, optBrowser, optDocument)
{ {
href = "http://"+href; href = "http://"+href;
} }
extraOpenTags = extraOpenTags + '<a href="' + Security.escapeHTMLAttribute(href) + '">'; // Using rel="noreferrer" stops leaking the URL/location of the pad when clicking links in the document.
// Not all browsers understand this attribute, but it's part of the HTML5 standard.
// http://www.w3.org/TR/html5/links.html#link-type-noreferrer
extraOpenTags = extraOpenTags + '<a href="' + Security.escapeHTMLAttribute(href) + '" rel="noreferrer">';
extraCloseTags = '</a>' + extraCloseTags; extraCloseTags = '</a>' + extraCloseTags;
} }
if (simpleTags) if (simpleTags)

5
src/static/js/pad_utils.js
View file

@ -223,7 +223,10 @@ var padutils = {
var startIndex = urls[j][0]; var startIndex = urls[j][0];
var href = urls[j][1]; var href = urls[j][1];
advanceTo(startIndex); advanceTo(startIndex);
pieces.push('<a ', (target ? 'target="' + Security.escapeHTMLAttribute(target) + '" ' : ''), 'href="', Security.escapeHTMLAttribute(href), '">'); // Using rel="noreferrer" stops leaking the URL/location of the pad when clicking links in the document.
// Not all browsers understand this attribute, but it's part of the HTML5 standard.
// http://www.w3.org/TR/html5/links.html#link-type-noreferrer
pieces.push('<a ', (target ? 'target="' + Security.escapeHTMLAttribute(target) + '" ' : ''), 'href="', Security.escapeHTMLAttribute(href), '" rel="noreferrer">');
advanceTo(startIndex + href.length); advanceTo(startIndex + href.length);
pieces.push('</a>'); pieces.push('</a>');
} }