Opened 10 months ago

Closed 10 months ago

Last modified 3 months ago

#2048 closed enhancement (fixed)

Auto-generated links to external sites should set rel="noopener noreferrer"

Reported by: nicklas Owned by: everyone
Priority: minor Milestone: BASE 3.10
Component: web Version:
Keywords: Cc:

Description

Description fields and some other fields that may contain URL links to external sites are automatically linked to that site. They are typically opened in a new window using target="_blank". The targeted URL may in some cases get access to the BASE site by using the window.opener reference in JavaScript?. Browsers should normally protect against this (Firefox and IE/Edge seems to do this already). To get an extra layer of safety it is possible to tell the browser to not expose the window.opener property.

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#attr-rel

https://css-tricks.com/random-interesting-facts-htmlsvg-usage/

Change History (4)

comment:1 Changed 10 months ago by nicklas

  • Resolution set to fixed
  • Status changed from new to closed

(In [7243]) Fixes #2048: Auto-generated links to external sites should set rel="noopener noreferrer"

comment:2 Changed 4 months ago by nicklas

(In [7361]) References #2048: Upgrade to Hibernate 5.2

Creating branch for working with this update since it will likely cause a lot of things to stop working initially.

comment:3 Changed 3 months ago by nicklas

(In [7396]) References #2048: Upgrade to Hibernate 5.2

Need to begin a transaction when creating a new piggy-backed session or Hibernate will complain about no active transaction when trying to commit.

Version 0, edited 3 months ago by nicklas (next)

comment:4 Changed 3 months ago by nicklas

(In [7397]) References #2048: Upgrade to Hibernate 5.2

The database schema generator need to pass the supplied connection to the Hibernate tools (using the "javax.persistence.schema-generation-connection" configuration setting). If not, they will open a new connection. Under some circumstances this fails when used with extensions that via the "services" extension point try to initiate their own database schema and tables.

Note: See TracTickets for help on using tickets.