Fix tabnabbing vulnerability in Snow theme #2439
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jhchen
reviewed
Dec 26, 2018
themes/snow.js
Outdated
| } | ||
| SnowTooltip.TEMPLATE = [ | ||
| '<a class="ql-preview" target="_blank" href="about:blank"></a>', | ||
| '<a class="ql-preview" rel="noopener noreferrer nofollow" target="_blank" href="about:blank"></a>', |
Member
There was a problem hiding this comment.
nofollow does not seem relevant to tabnabbing?
Contributor
Author
There was a problem hiding this comment.
Fair, noopener is sufficient to mitigate tabnabbing. I've left in noreferrer for privacy reasons but can remove that too if you think it's too much.
Member
There was a problem hiding this comment.
That's fine these two are what React's linter suggests as well
jonathanlloyd
force-pushed
the
fix-snow-tabnabbing-vuln
branch
from
0340cbb to
99a85c1
Compare
Member
|
Thanks for the PR! |
jhchen
pushed a commit
that referenced
this pull request
Sep 9, 2019
lsirivong
pushed a commit
to voxmedia/quill
that referenced
this pull request
Sep 21, 2020
cdesch
added a commit
to cdesch/django-quill-editor
that referenced
this pull request
Feb 5, 2021
Bump to Quill Version 1.3.7 - This version of Quill fixes Quill Vuln slab/quill#2438 Here is the change commit to fix the vuln in Quill slab/quill#2439 The Vuln is described here: https://ossindex.sonatype.org/vuln/d96c07dd-81f9-41f6-b2bd-531143bcaeab
LeeHanYeong
pushed a commit
to LeeHanYeong/django-quill-editor
that referenced
this pull request
Feb 9, 2021
* Bump to Quill Version 1.3.7 Bump to Quill Version 1.3.7 - This version of Quill fixes Quill Vuln slab/quill#2438 Here is the change commit to fix the vuln in Quill slab/quill#2439 The Vuln is described here: https://ossindex.sonatype.org/vuln/d96c07dd-81f9-41f6-b2bd-531143bcaeab * Adding JS/CSS include instructions from README.md Resolves issue [#33](#33)
LeeHanYeong
pushed a commit
to LeeHanYeong/django-quill-editor
that referenced
this pull request
Feb 27, 2021
…son_string' (#41) * Bump to Quill Version 1.3.7 Bump to Quill Version 1.3.7 - This version of Quill fixes Quill Vuln slab/quill#2438 Here is the change commit to fix the vuln in Quill slab/quill#2439 The Vuln is described here: https://ossindex.sonatype.org/vuln/d96c07dd-81f9-41f6-b2bd-531143bcaeab * Adding JS/CSS include instructions from README.md Resolves issue [#33](#33) * adding None return for json_string
This was referenced Mar 10, 2021
LeeHanYeong
pushed a commit
to LeeHanYeong/django-quill-editor
that referenced
this pull request
Dec 8, 2021
* Bump to Quill Version 1.3.7 Bump to Quill Version 1.3.7 - This version of Quill fixes Quill Vuln slab/quill#2438 Here is the change commit to fix the vuln in Quill slab/quill#2439 The Vuln is described here: https://ossindex.sonatype.org/vuln/d96c07dd-81f9-41f6-b2bd-531143bcaeab * Adding JS/CSS include instructions from README.md Resolves issue [#33](#33)
LeeHanYeong
pushed a commit
to LeeHanYeong/django-quill-editor
that referenced
this pull request
Dec 8, 2021
…son_string' (#41) * Bump to Quill Version 1.3.7 Bump to Quill Version 1.3.7 - This version of Quill fixes Quill Vuln slab/quill#2438 Here is the change commit to fix the vuln in Quill slab/quill#2439 The Vuln is described here: https://ossindex.sonatype.org/vuln/d96c07dd-81f9-41f6-b2bd-531143bcaeab * Adding JS/CSS include instructions from README.md Resolves issue [#33](#33) * adding None return for json_string
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #2438
The link has the target attribute set to _blank but has no rel property. This means that documents containing untrusted links make the page they are embedded in susceptible to tabnabbing https://www.owasp.org/index.php/Reverse_Tabnabbing.
This PR sets the rel property to noopener (also norefferer and nofollow)