diff options
| author | Markus Staab <markus.staab@redaxo.de> | 2017-10-19 12:16:04 +0200 |
|---|---|---|
| committer | Markus Staab <markus.staab@redaxo.de> | 2017-10-19 12:16:04 +0200 |
| commit | db34b59238846e5ec046a456b4f76649321571d1 (patch) | |
| tree | 3efe5a2c81888f6440c43ba6450998f6434ba7ea /core/js/setupchecks.js | |
| parent | 8e25df9690a4d953721dcdc8e61038b332774a10 (diff) | |
| download | nextcloud-server-db34b59238846e5ec046a456b4f76649321571d1.tar.gz nextcloud-server-db34b59238846e5ec046a456b4f76649321571d1.zip | |
Prevent XSS in links which open a new browser window
Diffstat (limited to 'core/js/setupchecks.js')
| -rw-r--r-- | core/js/setupchecks.js | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 5e8ef9e6961..99e3c72d2d4 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -66,7 +66,7 @@ if (xhr.status !== 207) { var docUrl = placeholderUrl.replace('PLACEHOLDER', 'admin-setup-well-known-URL'); messages.push({ - msg: t('core', 'Your web server is not set up properly to resolve "{url}". Further information can be found in our <a target="_blank" rel="noreferrer" href="{docLink}">documentation</a>.', { docLink: docUrl, url: url }), + msg: t('core', 'Your web server is not set up properly to resolve "{url}". Further information can be found in our <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', { docLink: docUrl, url: url }), type: OC.SetupChecks.MESSAGE_TYPE_INFO }); } @@ -100,13 +100,13 @@ } if(!data.isMemcacheConfigured) { messages.push({ - msg: t('core', 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our <a target="_blank" rel="noreferrer" href="{docLink}">documentation</a>.', {docLink: data.memcacheDocs}), + msg: t('core', 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', {docLink: data.memcacheDocs}), type: OC.SetupChecks.MESSAGE_TYPE_INFO }); } if(!data.isUrandomAvailable) { messages.push({ - msg: t('core', '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our <a target="_blank" rel="noreferrer" href="{docLink}">documentation</a>.', {docLink: data.securityDocs}), + msg: t('core', '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', {docLink: data.securityDocs}), type: OC.SetupChecks.MESSAGE_TYPE_WARNING }); } @@ -118,19 +118,19 @@ } if(data.phpSupported && data.phpSupported.eol) { messages.push({ - msg: t('core', 'You are currently running PHP {version}. We encourage you to upgrade your PHP version to take advantage of <a target="_blank" rel="noreferrer" href="{phpLink}">performance and security updates provided by the PHP Group</a> as soon as your distribution supports it.', {version: data.phpSupported.version, phpLink: 'https://secure.php.net/supported-versions.php'}), + msg: t('core', 'You are currently running PHP {version}. We encourage you to upgrade your PHP version to take advantage of <a target="_blank" rel="noreferrer noopener" href="{phpLink}">performance and security updates provided by the PHP Group</a> as soon as your distribution supports it.', {version: data.phpSupported.version, phpLink: 'https://secure.php.net/supported-versions.php'}), type: OC.SetupChecks.MESSAGE_TYPE_INFO }); } if(!data.forwardedForHeadersWorking) { messages.push({ - msg: t('core', 'The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud. Further information can be found in our <a target="_blank" rel="noreferrer" href="{docLink}">documentation</a>.', {docLink: data.reverseProxyDocs}), + msg: t('core', 'The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud. Further information can be found in our <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', {docLink: data.reverseProxyDocs}), type: OC.SetupChecks.MESSAGE_TYPE_WARNING }); } if(!data.isCorrectMemcachedPHPModuleInstalled) { messages.push({ - msg: t('core', 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the <a target="_blank" rel="noreferrer" href="{wikiLink}">memcached wiki about both modules</a>.', {wikiLink: 'https://code.google.com/p/memcached/wiki/PHPClientComparison'}), + msg: t('core', 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the <a target="_blank" rel="noreferrer noopener" href="{wikiLink}">memcached wiki about both modules</a>.', {wikiLink: 'https://code.google.com/p/memcached/wiki/PHPClientComparison'}), type: OC.SetupChecks.MESSAGE_TYPE_WARNING }); } @@ -138,7 +138,7 @@ messages.push({ msg: t( 'core', - 'Some files have not passed the integrity check. Further information on how to resolve this issue can be found in our <a target="_blank" rel="noreferrer" href="{docLink}">documentation</a>. (<a href="{codeIntegrityDownloadEndpoint}">List of invalid files…</a> / <a href="{rescanEndpoint}">Rescan…</a>)', + 'Some files have not passed the integrity check. Further information on how to resolve this issue can be found in our <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>. (<a href="{codeIntegrityDownloadEndpoint}">List of invalid files…</a> / <a href="{rescanEndpoint}">Rescan…</a>)', { docLink: data.codeIntegrityCheckerDocumentation, codeIntegrityDownloadEndpoint: OC.generateUrl('/settings/integrity/failed'), @@ -152,7 +152,7 @@ messages.push({ msg: t( 'core', - 'The PHP OPcache is not properly configured. <a target="_blank" rel="noreferrer" href="{docLink}">For better performance we recommend</a> to use following settings in the <code>php.ini</code>:', + 'The PHP OPcache is not properly configured. <a target="_blank" rel="noreferrer noopener" href="{docLink}">For better performance we recommend</a> to use following settings in the <code>php.ini</code>:', { docLink: data.phpOpcacheDocumentation, } @@ -300,7 +300,7 @@ var minimumSeconds = 15552000; if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) { messages.push({ - msg: t('core', 'The "Strict-Transport-Security" HTTP header is not configured to at least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}" rel="noreferrer">security tips</a>.', {'seconds': minimumSeconds, docUrl: tipsUrl}), + msg: t('core', 'The "Strict-Transport-Security" HTTP header is not configured to at least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}" rel="noreferrer noopener">security tips</a>.', {'seconds': minimumSeconds, docUrl: tipsUrl}), type: OC.SetupChecks.MESSAGE_TYPE_WARNING }); } |