Opened 23 months ago

Closed 23 months ago

Last modified 8 months ago

#2048 closed enhancement (fixed)

Auto-generated links to external sites should set rel="noopener noreferrer"

Reported by: nicklas Owned by: everyone
Priority: minor Milestone: BASE 3.10
Component: web Version:
Keywords: Cc:

Description

Description fields and some other fields that may contain URL links to external sites are automatically linked to that site. They are typically opened in a new window using target="_blank". The targeted URL may in some cases get access to the BASE site by using the window.opener reference in JavaScript?. Browsers should normally protect against this (Firefox and IE/Edge seems to do this already). To get an extra layer of safety it is possible to tell the browser to not expose the window.opener property.

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#attr-rel

https://css-tricks.com/random-interesting-facts-htmlsvg-usage/

Change History (6)

comment:1 Changed 23 months ago by nicklas

  • Resolution set to fixed
  • Status changed from new to closed

(In [7243]) Fixes #2048: Auto-generated links to external sites should set rel="noopener noreferrer"

comment:2 Changed 17 months ago by nicklas

(In [7361]) References #2048: Upgrade to Hibernate 5.2

Creating branch for working with this update since it will likely cause a lot of things to stop working initially.

comment:3 Changed 16 months ago by nicklas

(In [7396]) References #2048: Upgrade to Hibernate 5.2

Belongs to #2084 instead of this ticket.

Last edited 16 months ago by nicklas (previous) (diff)

comment:4 Changed 16 months ago by nicklas

(In [7397]) References #2048: Upgrade to Hibernate 5.2

The database schema generator need to pass the supplied connection to the Hibernate tools (using the "javax.persistence.schema-generation-connection" configuration setting). If not, they will open a new connection. Under some circumstances this fails when used with extensions that via the "services" extension point try to initiate their own database schema and tables.

comment:5 Changed 12 months ago by nicklas

(In [7416]) References #2048: Upgrade to Hibernate 5.2

The Query.uniqueResult() throws an exception when it finds more than one item. We do not want that. We want it to return the first item found so we revert the code to something like it was before.

comment:6 Changed 8 months ago by nicklas

(In [7455]) References #2048: Upgrade to Hibernate 5.2

I hope this fixes the schema update problem. The SchemaMigrator has been replaced with code that goes directly into the internals of Hibernate and tries to check for an existing table using both quoted and unquoted table names. The generated SQL is then modified back to always use quoted table names. A good thing is that the "hack" mentioned in #2090 is no longer needed (due to the search-and-replace operation).

Note: See TracTickets for help on using tickets.