From 54e8e72ad254256541a903516a9247c304ec278a Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Thu, 28 Apr 2016 14:38:22 -0400 Subject: [PATCH] Fix all target="_blank" anchors to be safer Fixes #1411 --- events/build_event.html | 2 +- events/build_failure.html | 2 +- events/build_queued.html | 2 +- events/build_start.html | 2 +- events/build_success.html | 2 +- events/vulnerability_found.html | 2 +- static/directives/application-info.html | 2 +- static/directives/application-manager.html | 2 +- .../directives/authorized-apps-manager.html | 2 +- static/directives/build-log-error.html | 4 +-- static/directives/build-logs-view.html | 2 +- .../directives/config/config-setup-tool.html | 26 +++++++++---------- .../create-external-notification-dialog.html | 4 +-- .../directives/external-logins-manager.html | 2 +- .../external-notification-view.html | 2 +- static/directives/header-bar.html | 8 +++--- .../directives/image-vulnerability-view.html | 2 +- .../directives/old-image-security-view.html | 2 +- static/directives/recovery-form.html | 2 +- .../directives/repo-view/repo-panel-info.html | 2 +- .../directives/repo-view/repo-panel-tags.html | 2 +- static/directives/setup-trigger-dialog.html | 4 +-- static/directives/source-commit-link.html | 2 +- static/directives/source-ref-link.html | 4 +-- static/directives/tour-content.html | 2 +- static/directives/trigger-setup-githost.html | 4 +-- .../bitbucket/trigger-description.html | 2 +- .../trigger/custom-git/credentials.html | 4 +-- .../custom-git/trigger-description.html | 2 +- .../trigger/githost/credentials.html | 2 +- .../trigger/github/trigger-description.html | 2 +- .../triggered-build-description.html | 4 +-- static/js/ng-safenewtab.js | 10 +++++++ static/partials/landing-normal.html | 10 +++---- static/partials/manage-application.html | 4 +-- static/partials/super-user.html | 2 +- static/tutorial/done.html | 2 +- templates/base.html | 4 +-- templates/oauthorize.html | 2 +- 39 files changed, 76 insertions(+), 66 deletions(-) create mode 100644 static/js/ng-safenewtab.js diff --git a/events/build_event.html b/events/build_event.html index a60b38a4a..dbbca4d0f 100644 --- a/events/build_event.html +++ b/events/build_event.html @@ -30,4 +30,4 @@ for repository {{ event_data.repository | repository_reference }} {% if event_data.error_message %}
{{ event_data.error_message }} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/events/build_failure.html b/events/build_failure.html index c65ad9bf7..205e5ff76 100644 --- a/events/build_failure.html +++ b/events/build_failure.html @@ -1,2 +1,2 @@ {% extends "build_event.html" %} -{% block eventkind %}failure{% endblock %} \ No newline at end of file +{% block eventkind %}failure{% endblock %} diff --git a/events/build_queued.html b/events/build_queued.html index 98d4cd750..85e4a8ad9 100644 --- a/events/build_queued.html +++ b/events/build_queued.html @@ -1,2 +1,2 @@ {% extends "build_event.html" %} -{% block eventkind %}queued{% endblock %} \ No newline at end of file +{% block eventkind %}queued{% endblock %} diff --git a/events/build_start.html b/events/build_start.html index 6a658002d..7c4cdbbb8 100644 --- a/events/build_start.html +++ b/events/build_start.html @@ -1,2 +1,2 @@ {% extends "build_event.html" %} -{% block eventkind %}started{% endblock %} \ No newline at end of file +{% block eventkind %}started{% endblock %} diff --git a/events/build_success.html b/events/build_success.html index c196d3044..d2d753e79 100644 --- a/events/build_success.html +++ b/events/build_success.html @@ -1,2 +1,2 @@ {% extends "build_event.html" %} -{% block eventkind %}completed{% endblock %} \ No newline at end of file +{% block eventkind %}completed{% endblock %} diff --git a/events/vulnerability_found.html b/events/vulnerability_found.html index f20f4053b..618cca4b0 100644 --- a/events/vulnerability_found.html +++ b/events/vulnerability_found.html @@ -1,4 +1,4 @@ A {{ event_data.vulnerability.priority }} vulnerability ({{ event_data.vulnerability.id }}) was detected in tags {{ 'tags' | icon_image }} {% for tag in event_data.tags %}{%if loop.index > 1 %}, {% endif %}{{ (event_data.repository, tag) | repository_tag_reference }}{% endfor %} in - repository {{ event_data.repository | repository_reference }} \ No newline at end of file + repository {{ event_data.repository | repository_reference }} diff --git a/static/directives/application-info.html b/static/directives/application-info.html index 960bee7ed..d6e136597 100644 --- a/static/directives/application-info.html +++ b/static/directives/application-info.html @@ -1,7 +1,7 @@
-

{{ application.name }}

+

{{ application.name }}

{{ application.organization.name }}

diff --git a/static/directives/application-manager.html b/static/directives/application-manager.html index 620cca83d..5c01d9a06 100644 --- a/static/directives/application-manager.html +++ b/static/directives/application-manager.html @@ -29,7 +29,7 @@ {{ app.name }} - {{ app.application_uri }} + {{ app.application_uri }}
diff --git a/static/directives/authorized-apps-manager.html b/static/directives/authorized-apps-manager.html index d9dfc4349..c04968bdb 100644 --- a/static/directives/authorized-apps-manager.html +++ b/static/directives/authorized-apps-manager.html @@ -22,7 +22,7 @@ - {{ authInfo.application.name }} diff --git a/static/directives/build-log-error.html b/static/directives/build-log-error.html index db5c81eae..24c3c1d84 100644 --- a/static/directives/build-log-error.html +++ b/static/directives/build-log-error.html @@ -6,11 +6,11 @@ Error 403: Could not pull private base image {{ localPullInfo.repo }} without robot account credentials. Please see - Setting up build trigger credentials for more information. + Setting up build trigger credentials for more information. Error 403: Could not pull private base image {{ localPullInfo.repo }} because robot account {{ localPullInfo.username}} does not have access. Please see - Setting up build trigger credentials for more information. + Setting up build trigger credentials for more information. diff --git a/static/directives/build-logs-view.html b/static/directives/build-logs-view.html index b1cf1aebc..12ad935ab 100644 --- a/static/directives/build-logs-view.html +++ b/static/directives/build-logs-view.html @@ -7,7 +7,7 @@ Download Logs diff --git a/static/directives/config/config-setup-tool.html b/static/directives/config/config-setup-tool.html index 6128ebf8d..b7386782e 100644 --- a/static/directives/config/config-setup-tool.html +++ b/static/directives/config/config-setup-tool.html @@ -148,7 +148,7 @@
-

A redis key-value store is required for real-time events and build logs.

+

A redis key-value store is required for real-time events and build logs.

@@ -272,7 +272,7 @@ {{ field.help_text }}
- See Documentation for more information + See Documentation for more information
@@ -289,11 +289,11 @@
- rkt Conversion + rkt Conversion
-

If enabled, all images in the registry can be fetched via rkt fetch or any other AppC discovery-compliant implementation.

+

If enabled, all images in the registry can be fetched via rkt fetch or any other AppC discovery-compliant implementation.

@@ -302,7 +302,7 @@
- Documentation on generating these keys can be found at Generating ACI Signing Keys. + Documentation on generating these keys can be found at Generating ACI Signing Keys.
@@ -503,7 +503,7 @@ verifies user credentials on behalf of .
Documentation - on the API required can be found here: https://github.com/coreos/jwt-auth-example. + on the API required can be found here: https://github.com/coreos/jwt-auth-example.
@@ -597,7 +597,7 @@
Note: This will be stored in plaintext inside the config.yaml, so setting up a dedicated account or using - a password hash is highly recommended. + a password hash is highly recommended.
@@ -642,7 +642,7 @@

Note: A registered GitHub (Enterprise) OAuth application is required. View instructions on how to - + Create an OAuth Application in GitHub

@@ -729,7 +729,7 @@

Note: A registered Google OAuth application is required. Visit the - + Google Developer Console to register an application. @@ -777,7 +777,7 @@

Note: Build workers are required for this feature. - See Adding Build Workers for instructions on how to setup build workers. + See Adding Build Workers for instructions on how to setup build workers.
@@ -795,7 +795,7 @@

Note: A registered GitHub (Enterprise) OAuth application (separate from GitHub Authentication) is required. View instructions on how to - + Create an OAuth Application in GitHub

@@ -860,7 +860,7 @@

Note: A registered BitBucket OAuth application is required. View instructions on how to - + Create an OAuth Application in BitBucket

@@ -903,7 +903,7 @@

Note: A registered GitLab OAuth application is required. Visit the - + GitLab applications admin panel to create a new application. diff --git a/static/directives/create-external-notification-dialog.html b/static/directives/create-external-notification-dialog.html index b0d107d11..f45e7353e 100644 --- a/static/directives/create-external-notification-dialog.html +++ b/static/directives/create-external-notification-dialog.html @@ -132,7 +132,7 @@

- See: {{ getHelpUrl(field, currentConfig) }} + See: {{ getHelpUrl(field, currentConfig) }}

The contents for each event can be found in the user guide: + ng-safenewtab> http://docs.quay.io/guides/notifications.html
diff --git a/static/directives/external-logins-manager.html b/static/directives/external-logins-manager.html index af279b36f..648a6c44f 100644 --- a/static/directives/external-logins-manager.html +++ b/static/directives/external-logins-manager.html @@ -22,7 +22,7 @@ Attached to {{ provider.title() }} account - + {{ provider.getUserInfo(externalLoginInfo[provider.id]).username }} diff --git a/static/directives/external-notification-view.html b/static/directives/external-notification-view.html index eacdb9989..4faf305bf 100644 --- a/static/directives/external-notification-view.html +++ b/static/directives/external-notification-view.html @@ -8,7 +8,7 @@ diff --git a/static/directives/image-vulnerability-view.html b/static/directives/image-vulnerability-view.html index b31e6b8f6..240eec327 100644 --- a/static/directives/image-vulnerability-view.html +++ b/static/directives/image-vulnerability-view.html @@ -108,7 +108,7 @@ diff --git a/static/directives/old-image-security-view.html b/static/directives/old-image-security-view.html index f01e7755c..252f9678f 100644 --- a/static/directives/old-image-security-view.html +++ b/static/directives/old-image-security-view.html @@ -37,7 +37,7 @@ - + diff --git a/static/directives/recovery-form.html b/static/directives/recovery-form.html index 0679bb40a..5c49db179 100644 --- a/static/directives/recovery-form.html +++ b/static/directives/recovery-form.html @@ -21,4 +21,4 @@ - \ No newline at end of file + diff --git a/static/directives/repo-view/repo-panel-info.html b/static/directives/repo-view/repo-panel-info.html index 6d34ee462..be2eb5125 100644 --- a/static/directives/repo-view/repo-panel-info.html +++ b/static/directives/repo-view/repo-panel-info.html @@ -77,7 +77,7 @@ Automated Security Scanning (Preview) -
Continually scanning this repository for 17K+ known vulnerabilities. Read more about this feature.
+
Continually scanning this repository for 17K+ known vulnerabilities. Read more about this feature.
Configure Vulnerability Alerts
diff --git a/static/directives/repo-view/repo-panel-tags.html b/static/directives/repo-view/repo-panel-tags.html index 2310dd53d..bd740ca88 100644 --- a/static/directives/repo-view/repo-panel-tags.html +++ b/static/directives/repo-view/repo-panel-tags.html @@ -20,7 +20,7 @@
One or more of your tags has an extremely critical vulnerability which should be addressed immediately: - + {{ vuln.Name }}
diff --git a/static/directives/setup-trigger-dialog.html b/static/directives/setup-trigger-dialog.html index 5eb6814f8..ad4309aaa 100644 --- a/static/directives/setup-trigger-dialog.html +++ b/static/directives/setup-trigger-dialog.html @@ -49,7 +49,7 @@ Dockerfile found pulls from the private repository - + {{ pullInfo.analysis.namespace }}/{{ pullInfo.analysis.name }}
@@ -95,7 +95,7 @@
Note: No robot account currently has access to the private repository. Please create one and/or assign access in the - + repository's admin panel.
diff --git a/static/directives/source-commit-link.html b/static/directives/source-commit-link.html index 9a9d78a7a..e8a665926 100644 --- a/static/directives/source-commit-link.html +++ b/static/directives/source-commit-link.html @@ -2,7 +2,7 @@ - {{ commitSha.substring(0, 7) }} diff --git a/static/directives/source-ref-link.html b/static/directives/source-ref-link.html index d68e97594..11d4068da 100644 --- a/static/directives/source-ref-link.html +++ b/static/directives/source-ref-link.html @@ -3,13 +3,13 @@ - {{ getTitle(ref) }} + {{ getTitle(ref) }} - {{ getTitle(ref) }} + {{ getTitle(ref) }} diff --git a/static/directives/tour-content.html b/static/directives/tour-content.html index 1dc0f4f6e..ab17c0a83 100644 --- a/static/directives/tour-content.html +++ b/static/directives/tour-content.html @@ -164,7 +164,7 @@ Frank Macreery - Aptible - CTO & Co-Founder + Aptible - CTO & Co-Founder diff --git a/static/directives/trigger-setup-githost.html b/static/directives/trigger-setup-githost.html index 91343f6f2..1aeb6069e 100644 --- a/static/directives/trigger-setup-githost.html +++ b/static/directives/trigger-setup-githost.html @@ -125,7 +125,7 @@
  • - + {{ branchName }}
    • @@ -138,7 +138,7 @@
  • - + {{ tagName }}
    • diff --git a/static/directives/trigger/bitbucket/trigger-description.html b/static/directives/trigger/bitbucket/trigger-description.html index 5cfa4ecb1..357c3850b 100644 --- a/static/directives/trigger/bitbucket/trigger-description.html +++ b/static/directives/trigger/bitbucket/trigger-description.html @@ -4,4 +4,4 @@ {{ trigger.config.build_source }} - \ No newline at end of file + diff --git a/static/directives/trigger/custom-git/credentials.html b/static/directives/trigger/custom-git/credentials.html index 246d223b9..c3af014ab 100644 --- a/static/directives/trigger/custom-git/credentials.html +++ b/static/directives/trigger/custom-git/credentials.html @@ -5,6 +5,6 @@
  • You must give the following public key read access to the git repository.
  • You must set your repository to POST to the following URL to trigger a build.
    • - For more information, refer to the Custom Git Triggers documentation. + For more information, refer to the Custom Git Triggers documentation.

    - \ No newline at end of file + diff --git a/static/directives/trigger/custom-git/trigger-description.html b/static/directives/trigger/custom-git/trigger-description.html index eb8c53c40..2b41418ac 100644 --- a/static/directives/trigger/custom-git/trigger-description.html +++ b/static/directives/trigger/custom-git/trigger-description.html @@ -1,4 +1,4 @@ Push to {{ trigger.config.build_source }} - \ No newline at end of file + diff --git a/static/directives/trigger/githost/credentials.html b/static/directives/trigger/githost/credentials.html index 9a7616c49..341aa35c9 100644 --- a/static/directives/trigger/githost/credentials.html +++ b/static/directives/trigger/githost/credentials.html @@ -1,3 +1,3 @@

    The following key has been automatically added to your source control repository.

    -
    \ No newline at end of file + diff --git a/static/directives/trigger/github/trigger-description.html b/static/directives/trigger/github/trigger-description.html index 5a01c4aed..b10644f83 100644 --- a/static/directives/trigger/github/trigger-description.html +++ b/static/directives/trigger/github/trigger-description.html @@ -4,4 +4,4 @@ {{ trigger.config.build_source }} - \ No newline at end of file + diff --git a/static/directives/triggered-build-description.html b/static/directives/triggered-build-description.html index 990413b69..6936012a4 100644 --- a/static/directives/triggered-build-description.html +++ b/static/directives/triggered-build-description.html @@ -28,7 +28,7 @@
    + ng-safenewtab href="{{ TriggerService.getFullLinkTemplate(build, 'commit').replace('{sha}', TriggerService.getCommitSHA(build.trigger_metadata)) }}"> {{ getMessageSummary(build.trigger_metadata.commit_info.message) }} + ng-safenewtab> {{ build.trigger_metadata.commit_info.author.username }} diff --git a/static/js/ng-safenewtab.js b/static/js/ng-safenewtab.js new file mode 100644 index 000000000..a79c8febd --- /dev/null +++ b/static/js/ng-safenewtab.js @@ -0,0 +1,10 @@ +/** + * Adds both target="_blank" and rel="noopener" to the marked anchor tag. + * Background on noopener: https://mathiasbynens.github.io/rel-noopener/ + */ +angular.module('quay').directive('ngSafenewtab', function () { + return function (scope, element, attr) { + element.attr('target', '_blank'); + element.attr('rel', 'noopener'); + }; +}); \ No newline at end of file diff --git a/static/partials/landing-normal.html b/static/partials/landing-normal.html index 01927aa55..7bf0b21b7 100644 --- a/static/partials/landing-normal.html +++ b/static/partials/landing-normal.html @@ -54,16 +54,16 @@
    @@ -129,7 +129,7 @@ Mike Saffitz - Apptentive - CTO & Co-Founder + Apptentive - CTO & Co-Founder
    Learn more diff --git a/static/partials/manage-application.html b/static/partials/manage-application.html index 8a7fcb10b..b5187c678 100644 --- a/static/partials/manage-application.html +++ b/static/partials/manage-application.html @@ -65,7 +65,7 @@
    -
    An e-mail address representing the Avatar for the application. See above for the icon.
    +
    An e-mail address representing the Avatar for the application. See above for the icon.
    @@ -122,7 +122,7 @@ + ng-disabled="!getScopes(genScopes).length" ng-safenewtab> Generate Access Token
    diff --git a/static/partials/super-user.html b/static/partials/super-user.html index 03de52302..d124222b7 100644 --- a/static/partials/super-user.html +++ b/static/partials/super-user.html @@ -72,7 +72,7 @@ Select a service above to view its local logs
    - + Download All Local Logs (.tar.gz)
    diff --git a/static/tutorial/done.html b/static/tutorial/done.html index a98f7fd94..4b682947f 100644 --- a/static/tutorial/done.html +++ b/static/tutorial/done.html @@ -1 +1 @@ -That's it for the introduction tutorial! If you have any questions, please check the Documentation or contact us! +That's it for the introduction tutorial! If you have any questions, please check the Documentation or contact us! diff --git a/templates/base.html b/templates/base.html index c7c4eee27..bb0f5c8ac 100644 --- a/templates/base.html +++ b/templates/base.html @@ -212,7 +212,7 @@ mixpanel.init("{{ mixpanel_key }}", { track_pageview : false, debug: {{ is_debug
    - +
    @@ -251,7 +251,7 @@ mixpanel.init("{{ mixpanel_key }}", { track_pageview : false, debug: {{ is_debug b[k]=o+'d.write("'+p().replace(/"/g,String.fromCharCode(92)+'"')+'");d.close();'}a.P(2)};ld()};nt()})({ loader: "static.olark.com/jsclient/loader0.js",name:"olark",methods:["configure","extend","declare","identify"]}); /* custom configuration goes here (www.olark.com/documentation) */ - olark.identify('1189-336-10-9918');/*]]>*/ + olark.identify('1189-336-10-9918');/*]]>*/ {% endif %} diff --git a/templates/oauthorize.html b/templates/oauthorize.html index 1340d175e..4e547f7fd 100644 --- a/templates/oauthorize.html +++ b/templates/oauthorize.html @@ -14,7 +14,7 @@
    -

    {{ application.name }}

    +

    {{ application.name }}

    -
    {{ vulnerability.name }}{{ vulnerability.name }}