[jspwiki] branch master updated: 2.11.0-M7-git-11 : add rel="noreferrer" to target="_blank" links

brushed Thu, 05 Mar 2020 07:39:00 -0800

This is an automated email from the ASF dual-hosted git repository.

brushed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git



The following commit(s) were added to refs/heads/master by this push:
     new 70b6677  2.11.0-M7-git-11 : add rel="noreferrer" to target="_blank" 
links
70b6677 is described below

commit 70b667758b3cd7ee23b748b1896e467fc02bd5a6
Author: brushed <[email protected]>
AuthorDate: Thu Mar 5 16:37:55 2020 +0100

    2.11.0-M7-git-11 : add rel="noreferrer" to target="_blank" links
---
 ChangeLog.md                                       | 31 ++++++++++++++--------
 .../src/main/java/org/apache/wiki/Release.java     |  2 +-
 .../java/org/apache/wiki/parser/LinkParser.java    | 13 +++++++++
 3 files changed, 34 insertions(+), 12 deletions(-)

diff --git a/ChangeLog.md b/ChangeLog.md
index 8668f04..6590212 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -17,16 +17,25 @@ specific language governing permissions and limitations
 under the License.
 -->
 
+
+**2002-03-04  Dirk Frederickx (brushed AT apache DOT org)**
+
+* _2.11.0-M7-git-11_
+
+* Links with target="_blank" can expose your site to performance and security 
issues.
+  Add rel="noreferrer" as protect against this issue.
+
+
 **2020-02-24  Juan Pablo Santos (juanpablo AT apache DOT org)**
 
 * _2.11.0-M7-git-10_
 
 * Finally, finished 
[JSPWIKI-120](https://issues.apache.org/jira/browse/JSPWIKI-120):
-    * Use `Engine` instead of `WikiEngine` throughout the code as much as 
possible. 
+    * Use `Engine` instead of `WikiEngine` throughout the code as much as 
possible.
     * `URLConstructor#initialize(..)` receives an `Engine` instead of a 
`WikiEngine`.
     * `InitializablePlugin` and implementing classes receive an `Engine` 
instead of a `WikiEngine`.
     * `PageFilter`s receive an `Engine` instead of a `WikiEngine` on 
`initialize` method.
-    * Rename + extract interfaces from `EditorManager`, 
`InternationalizationManager`, `SearchManager`, 
+    * Rename + extract interfaces from `EditorManager`, 
`InternationalizationManager`, `SearchManager`,
     and `TemplateManager`.
 
 * Updated Flexmark to 0.60.2
@@ -37,15 +46,15 @@ under the License.
 
 * [JSPWIKI-120](https://issues.apache.org/jira/browse/JSPWIKI-120):
     * Use `Engine` inside `WikiContext`, `WikiSession`, `WikiPage`, 
`Attachment` and `SessionMonitor`.
-        * e.g. `WikiContext#getEngine()` now returns an `Engine` instead of a 
`WikiEngine`. To retrieve a manager 
-        from it just use `Engine#getManager( DesiredManager.class )`. See 
implementations on `getXXXManager()`  
-        methods on `WikiEngine` for details. 
+        * e.g. `WikiContext#getEngine()` now returns an `Engine` instead of a 
`WikiEngine`. To retrieve a manager
+        from it just use `Engine#getManager( DesiredManager.class )`. See 
implementations on `getXXXManager()`
+        methods on `WikiEngine` for details.
     * `WikiProvider#initialize(..)` receives an `Engine` instead of a 
`WikiEngine`.
     * `Engine` gains an `adapt( Class< E > cls )`, to facilitate downcasting 
to `Engine` implementation classes.
-    * Removed `Engine#getCurrentWatchDog()`, as it was a pass-through and 
introduced a package cycle; use instead 
-    `WatchDog#getCurrentWathDog( Engine )`. 
+    * Removed `Engine#getCurrentWatchDog()`, as it was a pass-through and 
introduced a package cycle; use instead
+    `WatchDog#getCurrentWathDog( Engine )`.
     `o.a.wiki` and `o.a.w.event`. To obtain the `WikiEngine` reference from 
the event just use `getSrc()`
-    * Rename + extract interfaces from `AttachmentManager`, 
`AuthenticationManager`, `AuthorizationManager`, 
+    * Rename + extract interfaces from `AttachmentManager`, 
`AuthenticationManager`, `AuthorizationManager`,
     `GroupManager` and `UserManager`.
 
 **2020-02-20  Juan Pablo Santos (juanpablo AT apache DOT org)**
@@ -54,12 +63,12 @@ under the License.
 
 * [JSPWIKI-120](https://issues.apache.org/jira/browse/JSPWIKI-120): finally, 
extracted `Engine` interface from
 `WikiEngine`. It will be part of JSPWiki public API later on.
-    * removed direct reference to `WikiEngine` on `WikiEngineEvent`, in order 
to break package cycle between 
+    * removed direct reference to `WikiEngine` on `WikiEngineEvent`, in order 
to break package cycle between
     `o.a.wiki` and `o.a.w.event`. To obtain the `WikiEngine` reference from 
the event just use `getSrc()`
-    * extract new `PluginElement` interface from `PluginContent` in order to 
break a package/class cycle between 
+    * extract new `PluginElement` interface from `PluginContent` in order to 
break a package/class cycle between
     `PluginContent` and `ParserStagePlugin`
 
-* Merged [PR #13](https://github.com/apache/jspwiki/pull/13) from 
[Kideath](https://github.com/kideath) in order 
+* Merged [PR #13](https://github.com/apache/jspwiki/pull/13) from 
[Kideath](https://github.com/kideath) in order
 to fix russian translation. Thanks!
 
 * Dependency updates
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/Release.java 
b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
index c568b0e..9300941 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/Release.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
@@ -69,7 +69,7 @@ public final class Release {
      *  <p>
      *  If the build identifier is empty, it is not added.
      */
-    public static final String     BUILD         = "git-10";
+    public static final String     BUILD         = "git-11";
 
     /**
      *  This is the generic version string you should use when printing out 
the version.  It is of
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/parser/LinkParser.java 
b/jspwiki-main/src/main/java/org/apache/wiki/parser/LinkParser.java
index 0fb69c0..111a5cd 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/parser/LinkParser.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/parser/LinkParser.java
@@ -163,6 +163,12 @@ public class LinkParser
     private static final String[] PERMITTED_TARGET_VALUES = new String[] {
             "_blank", "_self", "_parent", "_top" };
 
+    /** Links with target="_blank" can expose your site to performance and 
security issues.
+        To fix, add rel="noopener" or rel="noreferrer" to these links.
+    */
+    private static final String REL = "rel";
+    private static final String NOREFERRER = "noreferrer";
+
     private static final String EQSQUO = "='";
     private static final String SQUO   = "'";
     private static final String EQ     = "=";
@@ -259,6 +265,13 @@ public class LinkParser
                                 {
                                     Attribute a = new Attribute(token,value);
                                     link.addAttribute(a);
+
+                                    if( token.equals(TARGET) )
+                                    {
+                                        Attribute rel = new 
Attribute(REL,NOREFERRER);
+                                        link.addAttribute(rel);
+                                   }
+
                                 }
                                 else
                                 {

[jspwiki] branch master updated: 2.11.0-M7-git-11 : add rel="noreferrer" to target="_blank" links

Reply via email to