Fix tab nabbing vulnerability in formatted links #2674
Conversation
- Add attribute rel="noopener noreferrer" to <a> tags created by formats/link.js - Make unit tests for links expect rel attribute
|
@jhchen can we get this merged and released please? |
| @@ -4,6 +4,7 @@ class Link extends Inline { | |||
| static create(value) { | |||
| const node = super.create(value); | |||
| node.setAttribute('href', this.sanitize(value)); | |||
| node.setAttribute('rel', 'noopener noreferrer'); | |||
There was a problem hiding this comment.
Is noreferrer required? If I'm correct this was a workaround for FF, which was fixed in FF 52. This will cause issues with analytics reporting where traffic came from
There was a problem hiding this comment.
Hmm 🤔 I think it would be best as a config option to set that
There was a problem hiding this comment.
Would using a property such as Link.REL = "noopener"; be efficient?
There was a problem hiding this comment.
According to caniuse, the rel=noopener attribute is not supported by IE11, with rel=noreferrer at least being supported in Win 10 creators update versions of IE11. That's why I picked both attributes here.
This will cause issues with analytics reporting where traffic came from
Personally I would consider this a feature. But I could understand if you didn't want to make this decision as part of your library.
There was a problem hiding this comment.
Ah my apologies, I should have checked IE support! This is good to go then. Thanks 😃
There was a problem hiding this comment.
Awesome :)
Please note though, that for a release that fixes the complete vulnerability, this commit as well as #2439 have to be included.
|
@jl-welch when will there be a release with these fixes? We have a security finding in our application because of this. |
|
Can we please get a release on this fix?? |
|
npm audit link for those who want it : https://www.npmjs.com/advisories/1039 |
|
@jhchen @Jamesking56 @jl-welch Hey guys! Thanks for all the good work. What's the status of getting this released? |
|
@harkylton I think @jhchen is the only one who can merge + deploy and he hasn't responded to this in a long while... |
|
I'm also very interested in seeing this merged and released. |
|
Same here, the sooner the fix is merged and released the better. |
|
+1 Same here, I am also looking to apply this patch to my Quill-based application, but would prefer to specify an actual release number in my package.json (as opposed to a specific git commit). |
|
I have managed to make a custom fork with the patches included. It is still versioned as To install just run |
|
Awesome! Thanks for doing this.
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: James King <notifications@github.com>
Sent: Monday, September 2, 2019 2:49:20 AM
To: quilljs/quill <quill@noreply.github.com>
Cc: Troy Steffen <troysteffen@gmail.com>; Comment <comment@noreply.github.com>
Subject: Re: [quilljs/quill] Fix tab nabbing vulnerability in formatted links (#2674)
I have managed to make a custom fork with the patches included. It is still versioned as 1.3.6 but includes both tabnapping patches (this PR and #2439<#2439>).
To install just run npm i https://github.com/momentumstudi0/quill.git#1.3.6 --save
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#2674>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AAO25JNDH4JIR34VZFNQO3DQHTAQBANCNFSM4H6UDFFA>.
|
The vulnerability described in #2438 was not fully fixed with PR #2439 .
Using quill in readonly mode to display content still results in vulnerable anchor tags, because
the create function in formats/link.js sets target="_blank" but not rel="noopener noreferrer".
This pull request in combination with #2439 mitigates the tab nabbing vulnerability.