diff options
author | Markus Staab <markus.staab@redaxo.de> | 2017-10-19 12:16:04 +0200 |
---|---|---|
committer | Markus Staab <markus.staab@redaxo.de> | 2017-10-19 12:16:04 +0200 |
commit | db34b59238846e5ec046a456b4f76649321571d1 (patch) | |
tree | 3efe5a2c81888f6440c43ba6450998f6434ba7ea /settings | |
parent | 8e25df9690a4d953721dcdc8e61038b332774a10 (diff) | |
download | nextcloud-server-db34b59238846e5ec046a456b4f76649321571d1.tar.gz nextcloud-server-db34b59238846e5ec046a456b4f76649321571d1.zip |
Prevent XSS in links which open a new browser window
Diffstat (limited to 'settings')
-rw-r--r-- | settings/templates/apps.php | 18 | ||||
-rw-r--r-- | settings/templates/help.php | 8 | ||||
-rw-r--r-- | settings/templates/settings.development.notice.php | 6 | ||||
-rw-r--r-- | settings/templates/settings/admin/additional-mail.php | 2 | ||||
-rw-r--r-- | settings/templates/settings/admin/encryption.php | 2 | ||||
-rw-r--r-- | settings/templates/settings/admin/server.php | 10 | ||||
-rw-r--r-- | settings/templates/settings/admin/sharing.php | 2 | ||||
-rw-r--r-- | settings/templates/settings/admin/tipstricks.php | 16 | ||||
-rw-r--r-- | settings/templates/settings/personal/personal.info.php | 2 |
9 files changed, 33 insertions, 33 deletions
diff --git a/settings/templates/apps.php b/settings/templates/apps.php index 91a73fcbe56..f609adb03b3 100644 --- a/settings/templates/apps.php +++ b/settings/templates/apps.php @@ -24,7 +24,7 @@ script( <?php if($_['appstoreEnabled']): ?> <li> - <a class="app-external icon-info" target="_blank" rel="noreferrer" href="https://docs.nextcloud.org/server/12/developer_manual/"><?php p($l->t('Developer documentation'));?> ↗</a> + <a class="app-external icon-info" target="_blank" rel="noreferrer noopener" href="https://docs.nextcloud.org/server/12/developer_manual/"><?php p($l->t('Developer documentation'));?> ↗</a> </li> <?php endif; ?> </script> @@ -44,7 +44,7 @@ script( <div class="app-image app-image-icon"></div> <div class="app-name"> {{#if detailpage}} - <a href="{{detailpage}}" target="_blank" rel="noreferrer">{{name}}</a> + <a href="{{detailpage}}" target="_blank" rel="noreferrer noopener">{{name}}</a> {{else}} {{name}} {{/if}} @@ -90,7 +90,7 @@ script( {{/if}} <h2 class="app-name"> {{#if detailpage}} - <a href="{{detailpage}}" target="_blank" rel="noreferrer">{{name}}</a> + <a href="{{detailpage}}" target="_blank" rel="noreferrer noopener">{{name}}</a> {{else}} {{name}} {{/if}} @@ -105,7 +105,7 @@ script( <div class="app-description-container hidden"> <div class="app-version">{{version}}</div> - {{#if profilepage}}<a href="{{profilepage}}" target="_blank" rel="noreferrer">{{/if}} + {{#if profilepage}}<a href="{{profilepage}}" target="_blank" rel="noreferrer noopener">{{/if}} <div class="app-author"><?php p($l->t('by %s', ['{{author}}']));?> {{#if licence}} (<?php p($l->t('%s-licensed', ['{{licence}}'])); ?>) @@ -119,30 +119,30 @@ script( <?php p($l->t("Documentation:"));?> {{#if documentation.user}} <span class="userDocumentation"> - <a id="userDocumentation" class="appslink" href="{{documentation.user}}" target="_blank" rel="noreferrer"><?php p($l->t('User documentation'));?> ↗</a> + <a id="userDocumentation" class="appslink" href="{{documentation.user}}" target="_blank" rel="noreferrer noopener"><?php p($l->t('User documentation'));?> ↗</a> </span> {{/if}} {{#if documentation.admin}} <span class="adminDocumentation"> - <a id="adminDocumentation" class="appslink" href="{{documentation.admin}}" target="_blank" rel="noreferrer"><?php p($l->t('Admin documentation'));?> ↗</a> + <a id="adminDocumentation" class="appslink" href="{{documentation.admin}}" target="_blank" rel="noreferrer noopener"><?php p($l->t('Admin documentation'));?> ↗</a> </span> {{/if}} {{#if documentation.developer}} <span class="developerDocumentation"> - <a id="developerDocumentation" class="appslink" href="{{documentation.developer}}" target="_blank" rel="noreferrer"><?php p($l->t('Developer documentation'));?> ↗</a> + <a id="developerDocumentation" class="appslink" href="{{documentation.developer}}" target="_blank" rel="noreferrer noopener"><?php p($l->t('Developer documentation'));?> ↗</a> </span> {{/if}} </p> {{/if}} {{#if website}} - <a id="userDocumentation" class="appslink" href="{{website}}" target="_blank" rel="noreferrer"><?php p($l->t('Visit website'));?> ↗</a> + <a id="userDocumentation" class="appslink" href="{{website}}" target="_blank" rel="noreferrer noopener"><?php p($l->t('Visit website'));?> ↗</a> {{/if}} {{#if bugs}} - <a id="adminDocumentation" class="appslink" href="{{bugs}}" target="_blank" rel="noreferrer"><?php p($l->t('Report a bug'));?> ↗</a> + <a id="adminDocumentation" class="appslink" href="{{bugs}}" target="_blank" rel="noreferrer noopener"><?php p($l->t('Report a bug'));?> ↗</a> {{/if}} </div><!-- end app-description-container --> <div class="app-description-toggle-show" role="link"><?php p($l->t("Show description …"));?></div> diff --git a/settings/templates/help.php b/settings/templates/help.php index f849ea0f427..3f042254f83 100644 --- a/settings/templates/help.php +++ b/settings/templates/help.php @@ -16,26 +16,26 @@ <?php } ?> <li> - <a href="https://docs.nextcloud.org" target="_blank" rel="noreferrer"> + <a href="https://docs.nextcloud.org" target="_blank" rel="noreferrer noopener"> <?php p($l->t('Online documentation')); ?> ↗ </a> </li> <li> - <a href="https://help.nextcloud.com" target="_blank" rel="noreferrer"> + <a href="https://help.nextcloud.com" target="_blank" rel="noreferrer noopener"> <?php p($l->t('Forum')); ?> ↗ </a> </li> <?php if($_['admin']) { ?> <li> - <a href="https://nextcloud.com/support/" target="_blank" rel="noreferrer"> + <a href="https://nextcloud.com/support/" target="_blank" rel="noreferrer noopener"> <?php p($l->t('Getting help')); ?> ↗ </a> </li> <?php } ?> <li> - <a href="https://nextcloud.com/enterprise/" target="_blank" rel="noreferrer"> + <a href="https://nextcloud.com/enterprise/" target="_blank" rel="noreferrer noopener"> <?php p($l->t('Commercial support')); ?> ↗ </a> </li> diff --git a/settings/templates/settings.development.notice.php b/settings/templates/settings.development.notice.php index 2b08d341f1e..855c4dc26c7 100644 --- a/settings/templates/settings.development.notice.php +++ b/settings/templates/settings.development.notice.php @@ -7,9 +7,9 @@ '{linkclose}', ], [ - '<a href="https://nextcloud.com/contribute" target="_blank" rel="noreferrer">', - '<a href="https://github.com/nextcloud" target="_blank" rel="noreferrer">', - '<a href="https://www.gnu.org/licenses/agpl-3.0.html" target="_blank" rel="noreferrer">', + '<a href="https://nextcloud.com/contribute" target="_blank" rel="noreferrer noopener">', + '<a href="https://github.com/nextcloud" target="_blank" rel="noreferrer noopener">', + '<a href="https://www.gnu.org/licenses/agpl-3.0.html" target="_blank" rel="noreferrer noopener">', '</a>', ], $l->t('Developed by the {communityopen}Nextcloud community{linkclose}, the {githubopen}source code{linkclose} is licensed under the {licenseopen}AGPL{linkclose}.') diff --git a/settings/templates/settings/admin/additional-mail.php b/settings/templates/settings/admin/additional-mail.php index bce7e5adeee..adcc5293ff1 100644 --- a/settings/templates/settings/admin/additional-mail.php +++ b/settings/templates/settings/admin/additional-mail.php @@ -53,7 +53,7 @@ if ($_['mail_smtpmode'] === 'qmail') { <div class="section" id="mail_general_settings"> <form id="mail_general_settings_form" class="mail_settings"> <h2><?php p($l->t('Email server'));?></h2> - <a target="_blank" rel="noreferrer" class="icon-info" + <a target="_blank" rel="noreferrer noopener" class="icon-info" title="<?php p($l->t('Open documentation'));?>" href="<?php p(link_to_docs('admin-email')); ?>"></a> <p class="settings-hint"><?php p($l->t('It is important to set up this server to be able to send emails, like for password reset and notifications.')); ?></p> diff --git a/settings/templates/settings/admin/encryption.php b/settings/templates/settings/admin/encryption.php index 8fc4e9ae13b..d042f531da5 100644 --- a/settings/templates/settings/admin/encryption.php +++ b/settings/templates/settings/admin/encryption.php @@ -28,7 +28,7 @@ <div class="section" id='encryptionAPI'> <h2><?php p($l->t('Server-side encryption')); ?></h2> - <a target="_blank" rel="noreferrer" class="icon-info" + <a target="_blank" rel="noreferrer noopener" class="icon-info" title="<?php p($l->t('Open documentation'));?>" href="<?php p(link_to_docs('admin-encryption')); ?>"></a> <p class="settings-hint"><?php p($l->t('Server-side encryption makes it possible to encrypt files which are uploaded to this server. This comes with limitations like a performance penalty, so enable this only if needed.')); ?></p> diff --git a/settings/templates/settings/admin/server.php b/settings/templates/settings/admin/server.php index ab30f8e7700..2805eb72ce1 100644 --- a/settings/templates/settings/admin/server.php +++ b/settings/templates/settings/admin/server.php @@ -36,7 +36,7 @@ ?> <li> <?php p($l->t('PHP does not seem to be setup properly to query system environment variables. The test with getenv("PATH") only returns an empty response.')); ?><br> - <?php print_unescaped($l->t('Please check the <a target="_blank" rel="noreferrer" href="%s">installation documentation ↗</a> for PHP configuration notes and the PHP configuration of your server, especially when using php-fpm.', link_to_docs('admin-php-fpm'))); ?> + <?php print_unescaped($l->t('Please check the <a target="_blank" rel="noreferrer noopener" href="%s">installation documentation ↗</a> for PHP configuration notes and the PHP configuration of your server, especially when using php-fpm.', link_to_docs('admin-php-fpm'))); ?> </li> <?php } @@ -91,7 +91,7 @@ if ($_['fileLockingType'] === 'none') { ?> <li> - <?php print_unescaped($l->t('Transactional file locking is disabled, this might lead to issues with race conditions. Enable \'filelocking.enabled\' in config.php to avoid these problems. See the <a target="_blank" rel="noreferrer" href="%s">documentation ↗</a> for more information.', link_to_docs('admin-transactional-locking'))); ?> + <?php print_unescaped($l->t('Transactional file locking is disabled, this might lead to issues with race conditions. Enable \'filelocking.enabled\' in config.php to avoid these problems. See the <a target="_blank" rel="noreferrer noopener" href="%s">documentation ↗</a> for more information.', link_to_docs('admin-transactional-locking'))); ?> </li> <?php } @@ -146,7 +146,7 @@ <ul class="warnings hidden"></ul> <ul class="info hidden"></ul> <p class="hint hidden"> - <?php print_unescaped($l->t('Please double check the <a target="_blank" rel="noreferrer" href="%s">installation guides ↗</a>, and check for any errors or warnings in the <a href="%s">log</a>.', [link_to_docs('admin-install'), \OC::$server->getURLGenerator()->linkToRoute('settings.AdminSettings.index', ['section' => 'logging'])] )); ?> + <?php print_unescaped($l->t('Please double check the <a target="_blank" rel="noreferrer noopener" href="%s">installation guides ↗</a>, and check for any errors or warnings in the <a href="%s">log</a>.', [link_to_docs('admin-install'), \OC::$server->getURLGenerator()->linkToRoute('settings.AdminSettings.index', ['section' => 'logging'])] )); ?> </p> </div> <div id="security-warning-state"> @@ -176,7 +176,7 @@ <?php p($l->t("Background job didn’t run yet!")); endif; ?> </p> - <a target="_blank" rel="noreferrer" class="icon-info" + <a target="_blank" rel="noreferrer noopener" class="icon-info" title="<?php p($l->t('Open documentation'));?>" href="<?php p(link_to_docs('admin-background-jobs')); ?>"></a> @@ -223,5 +223,5 @@ <div class="section"> <!-- should be the last part, so Updater can follow if enabled (it has no heading therefore). --> <h2><?php p($l->t('Version'));?></h2> - <p><strong><a href="<?php print_unescaped($theme->getBaseUrl()); ?>" rel="noreferrer" target="_blank"><?php p($theme->getTitle()); ?></a> <?php p(OC_Util::getHumanVersion()) ?></strong></p> + <p><strong><a href="<?php print_unescaped($theme->getBaseUrl()); ?>" rel="noreferrer noopener" target="_blank"><?php p($theme->getTitle()); ?></a> <?php p(OC_Util::getHumanVersion()) ?></strong></p> </div> diff --git a/settings/templates/settings/admin/sharing.php b/settings/templates/settings/admin/sharing.php index 9c9e8c07809..156e8ddd81d 100644 --- a/settings/templates/settings/admin/sharing.php +++ b/settings/templates/settings/admin/sharing.php @@ -28,7 +28,7 @@ <div class="section" id="shareAPI"> <h2><?php p($l->t('Sharing'));?></h2> - <a target="_blank" rel="noreferrer" class="icon-info" + <a target="_blank" rel="noreferrer noopener" class="icon-info" title="<?php p($l->t('Open documentation'));?>" href="<?php p(link_to_docs('admin-sharing')); ?>"></a> <p class="settings-hint"><?php p($l->t('As admin you can fine-tune the sharing behavior. Please see the documentation for more information.'));?></p> diff --git a/settings/templates/settings/admin/tipstricks.php b/settings/templates/settings/admin/tipstricks.php index c18c7f25f39..cf5c6c71104 100644 --- a/settings/templates/settings/admin/tipstricks.php +++ b/settings/templates/settings/admin/tipstricks.php @@ -37,15 +37,15 @@ <li> <?php p($l->t('SQLite is currently being used as the backend database. For larger installations we recommend that you switch to a different database backend.')); ?><br> <?php p($l->t('This is particularly recommended when using the desktop client for file synchronisation.')); ?><br> - <?php print_unescaped($l->t('To migrate to another database use the command line tool: \'occ db:convert-type\', or see the <a target="_blank" rel="noreferrer" href="%s">documentation ↗</a>.', link_to_docs('admin-db-conversion') )); ?> + <?php print_unescaped($l->t('To migrate to another database use the command line tool: \'occ db:convert-type\', or see the <a target="_blank" rel="noreferrer noopener" href="%s">documentation ↗</a>.', link_to_docs('admin-db-conversion') )); ?> </li> <?php } ?> - <li><a target="_blank" rel="noreferrer" href="<?php p(link_to_docs('admin-backup')); ?>"><?php p($l->t('How to do backups'));?> ↗</a></li> - <li><a target="_blank" rel="noreferrer" href="<?php p(link_to_docs('admin-monitoring')); ?>"><?php p($l->t('Advanced monitoring'));?> ↗</a></li> - <li><a target="_blank" rel="noreferrer" href="<?php p(link_to_docs('admin-performance')); ?>"><?php p($l->t('Performance tuning'));?> ↗</a></li> - <li><a target="_blank" rel="noreferrer" href="<?php p(link_to_docs('admin-config')); ?>"><?php p($l->t('Improving the config.php'));?> ↗</a></li> - <li><a target="_blank" rel="noreferrer" href="<?php p(link_to_docs('developer-theming')); ?>"><?php p($l->t('Theming'));?> ↗</a></li> - <li><a target="_blank" rel="noreferrer" href="https://scan.nextcloud.com"><?php p($l->t('Check the security of your Nextcloud over our security scan'));?> ↗</a></li> - <li><a target="_blank" rel="noreferrer" href="<?php p(link_to_docs('admin-security')); ?>"><?php p($l->t('Hardening and security guidance'));?> ↗</a></li> + <li><a target="_blank" rel="noreferrer noopener" href="<?php p(link_to_docs('admin-backup')); ?>"><?php p($l->t('How to do backups'));?> ↗</a></li> + <li><a target="_blank" rel="noreferrer noopener" href="<?php p(link_to_docs('admin-monitoring')); ?>"><?php p($l->t('Advanced monitoring'));?> ↗</a></li> + <li><a target="_blank" rel="noreferrer noopener" href="<?php p(link_to_docs('admin-performance')); ?>"><?php p($l->t('Performance tuning'));?> ↗</a></li> + <li><a target="_blank" rel="noreferrer noopener" href="<?php p(link_to_docs('admin-config')); ?>"><?php p($l->t('Improving the config.php'));?> ↗</a></li> + <li><a target="_blank" rel="noreferrer noopener" href="<?php p(link_to_docs('developer-theming')); ?>"><?php p($l->t('Theming'));?> ↗</a></li> + <li><a target="_blank" rel="noreferrer noopener" href="https://scan.nextcloud.com"><?php p($l->t('Check the security of your Nextcloud over our security scan'));?> ↗</a></li> + <li><a target="_blank" rel="noreferrer noopener" href="<?php p(link_to_docs('admin-security')); ?>"><?php p($l->t('Hardening and security guidance'));?> ↗</a></li> </ul> </div> diff --git a/settings/templates/settings/personal/personal.info.php b/settings/templates/settings/personal/personal.info.php index d6f6061ebf2..04315d8cea0 100644 --- a/settings/templates/settings/personal/personal.info.php +++ b/settings/templates/settings/personal/personal.info.php @@ -338,7 +338,7 @@ vendor_style('jcrop/css/jquery.Jcrop'); <?php endforeach;?> </select> <a href="https://www.transifex.com/nextcloud/nextcloud/" - target="_blank" rel="noreferrer"> + target="_blank" rel="noreferrer noopener"> <em><?php p($l->t('Help translate'));?></em> </a> </form> |