Opened 7 years ago

Closed 7 years ago

Last modified 6 years ago

#2048 closed enhancement (fixed)

Auto-generated links to external sites should set rel="noopener noreferrer"

Reported by: Nicklas Nordborg Owned by: everyone
Priority: minor Milestone: BASE 3.10
Component: web Version:
Keywords: Cc:

Description

Description fields and some other fields that may contain URL links to external sites are automatically linked to that site. They are typically opened in a new window using target="_blank". The targeted URL may in some cases get access to the BASE site by using the window.opener reference in JavaScript. Browsers should normally protect against this (Firefox and IE/Edge seems to do this already). To get an extra layer of safety it is possible to tell the browser to not expose the window.opener property.

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#attr-rel

https://css-tricks.com/random-interesting-facts-htmlsvg-usage/

Change History (6)

comment:1 by Nicklas Nordborg, 7 years ago

Resolution: fixed
Status: newclosed

(In [7243]) Fixes #2048: Auto-generated links to external sites should set rel="noopener noreferrer"

comment:2 by Nicklas Nordborg, 7 years ago

(In [7361]) References #2048: Upgrade to Hibernate 5.2

Creating branch for working with this update since it will likely cause a lot of things to stop working initially.

comment:3 by Nicklas Nordborg, 7 years ago

(In [7396]) References #2048: Upgrade to Hibernate 5.2

Belongs to #2084 instead of this ticket.

Last edited 7 years ago by Nicklas Nordborg (previous) (diff)

comment:4 by Nicklas Nordborg, 7 years ago

(In [7397]) References #2048: Upgrade to Hibernate 5.2

The database schema generator need to pass the supplied connection to the Hibernate tools (using the "javax.persistence.schema-generation-connection" configuration setting). If not, they will open a new connection. Under some circumstances this fails when used with extensions that via the "services" extension point try to initiate their own database schema and tables.

comment:5 by Nicklas Nordborg, 6 years ago

(In [7416]) References #2048: Upgrade to Hibernate 5.2

The Query.uniqueResult() throws an exception when it finds more than one item. We do not want that. We want it to return the first item found so we revert the code to something like it was before.

comment:6 by Nicklas Nordborg, 6 years ago

(In [7455]) References #2048: Upgrade to Hibernate 5.2

I hope this fixes the schema update problem. The SchemaMigrator has been replaced with code that goes directly into the internals of Hibernate and tries to check for an existing table using both quoted and unquoted table names. The generated SQL is then modified back to always use quoted table names. A good thing is that the "hack" mentioned in #2090 is no longer needed (due to the search-and-replace operation).

Note: See TracTickets for help on using tickets.