Bug #1142

[SECURITY] target=_blank ohne rel=noopener ermöglicht XSS

Added by following almost 2 years ago. Updated almost 2 years ago.

Status:erledigt% Done:

100%

Priority name:2 mittel
Assignee:following
Target version:Version 3.1.5
Ticket Referenz: Kategorien:listing logs profil

Description

Siehe https://mathiasbynens.github.io/rel-noopener.

Bei target="_blank" im User-Content sollte also zwangsweise rel="noopener" hinzugefügt werden.

History

#1 Updated by following almost 2 years ago

  • Status changed from neu to offen
  • Assignee set to following
  • Target version set to Version 3.1.5
  • Kategorien set to listing logs profil

Ich denke es genügt, wenn man das für alle neu eingegebenen HTML-Texte korrigiert. Bislang sind ja keine Missbrauchsfälle bekannt.

#2 Updated by following almost 2 years ago

  • Status changed from offen to in Arbeit

#3 Updated by following almost 2 years ago

This has been fixed with HTMLPurifier 4.8.0.

#4 Updated by teiling88 almost 2 years ago

  • Status changed from in Arbeit to erledigt
  • % Done changed from 0 to 100
  • Private changed from Yes to No

Also available in: Atom PDF