Nitro-V3

duckietm/Nitro-V3

Fork 0

mirror of https://github.com/duckietm/Nitro-V3.git synced 2026-06-19 15:06:20 +00:00

Commit Graph

Author	SHA1	Message	Date
simoleo89	24d10aced1	fix(security): harden external-link opening (protocol allow-list + noopener) URLs reached window.open from user/server-controlled content without a protocol check or noopener, allowing reverse-tabnabbing and (for the chat link handler) a javascript:/data: href running in our origin. - add isSafeExternalUrl() (http/https only) + tests; gate the chat link opener (useOnClickChat) and external photo opener with it - SanitizeHtml: afterSanitizeAttributes hook forces rel="noopener noreferrer" on any target=_blank anchor (overrides attacker-supplied rel) - add noopener,noreferrer to the remaining window.open(_blank) sites (YouTube share, external photo, guide forum link); drop a stray console.log	2026-06-17 19:12:01 +02:00
DuckieTM	7feb10ab15	🆙 Init V3	2026-01-31 09:10:52 +01:00

Author

SHA1

Message

Date

simoleo89

24d10aced1

fix(security): harden external-link opening (protocol allow-list + noopener)

URLs reached window.open from user/server-controlled content without a protocol check or noopener, allowing reverse-tabnabbing and (for the chat link handler) a javascript:/data: href running in our origin.

- add isSafeExternalUrl() (http/https only) + tests; gate the chat link opener (useOnClickChat) and external photo opener with it

- SanitizeHtml: afterSanitizeAttributes hook forces rel="noopener noreferrer" on any target=_blank anchor (overrides attacker-supplied rel)

- add noopener,noreferrer to the remaining window.open(_blank) sites (YouTube share, external photo, guide forum link); drop a stray console.log

2026-06-17 19:12:01 +02:00

DuckieTM

7feb10ab15

🆙 Init V3

2026-01-31 09:10:52 +01:00

2 Commits