diff options
| author | Andrew Dolgov <[email protected]> | 2017-02-12 14:19:37 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2017-02-12 14:19:37 +0300 |
| commit | 3891782cf5fc20dc70e17c8665866aef6392233e (patch) | |
| tree | 9e46eabafcddd2e76cd0c8fc4c1498d0b1858757 /classes/pref/prefs.php | |
| parent | 2187322caee25756d28983f069e291612023c6dc (diff) | |
| parent | ba2853caac636d2ae596d74561fa0233567242d4 (diff) | |
Merge branch 'fix-target-blank-vulnerability' into 'master'
Prevent target='_blank' vulnerability on dynamic link
This merge request refere to https://tt-rss.org/forum/viewtopic.php?f=8&t=4048
It fix the issue I enconter on some feeds I follow.
Just need to add "noopener" and "noreferrer" on "_blank" link to avoid the vulnerability.
See merge request !46
Diffstat (limited to 'classes/pref/prefs.php')
| -rw-r--r-- | classes/pref/prefs.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php index 9a7ab55a0..ece9e8078 100644 --- a/classes/pref/prefs.php +++ b/classes/pref/prefs.php @@ -776,7 +776,7 @@ class Pref_Prefs extends Handler_Protected { print "<td><label><img src='images/$plugin_icon' alt=''> $name</label></td>"; print "<td>" . htmlspecialchars($about[1]); if (@$about[4]) { - print " — <a target=\"_blank\" class=\"visibleLink\" + print " — <a target=\"_blank\" rel=\"noopener noreferrer\" class=\"visibleLink\" href=\"".htmlspecialchars($about[4])."\">".__("more info")."</a>"; } print "</td>"; @@ -835,7 +835,7 @@ class Pref_Prefs extends Handler_Protected { print "<td><label for='FPCHK-$name'><img src='images/$plugin_icon' alt=''> $name</label></td>"; print "<td><label for='FPCHK-$name'>" . htmlspecialchars($about[1]) . "</label>"; if (@$about[4]) { - print " — <a target=\"_blank\" class=\"visibleLink\" + print " — <a target=\"_blank\" rel=\"noopener noreferrer\" class=\"visibleLink\" href=\"".htmlspecialchars($about[4])."\">".__("more info")."</a>"; } print "</td>"; |