duckietm/Nitro-V3
1
0
Fork 0
mirror of https://github.com/duckietm/Nitro-V3.git synced 2026-06-19 23:16:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden external-link opening (protocol allow-list + noopener)

Browse Source 
URLs reached window.open from user/server-controlled content without a protocol check or noopener, allowing reverse-tabnabbing and (for the chat link handler) a javascript:/data: href running in our origin.

- add isSafeExternalUrl() (http/https only) + tests; gate the chat link opener (useOnClickChat) and external photo opener with it

- SanitizeHtml: afterSanitizeAttributes hook forces rel="noopener noreferrer" on any target=_blank anchor (overrides attacker-supplied rel)

- add noopener,noreferrer to the remaining window.open(_blank) sites (YouTube share, external photo, guide forum link); drop a stray console.log
This commit is contained in:
simoleo89
2026-06-17 19:12:01 +02:00
parent 301294ecf4
commit 24d10aced1
9 changed files with 106 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/components/guide-tool/GuideToolView.tsx
+1 -1
View File
@@ -321,7 +321,7 @@ export const GuideToolView: FC<{}> = props =>
return;
case 'forum_link':
const url: string = GetConfigurationValue<string>('group.homepage.url', '').replace('%groupid%', GetConfigurationValue<string>('guide.help.alpha.groupid', '0'));
window.open(url);
window.open(url, '_blank', 'noopener,noreferrer');
return;
}
}, [ isHandlingBullyReports, isHandlingGuideRequests, isHandlingHelpRequests, simpleAlert ]);