Back-port "fix: anchor tag safety" to 2.x #5419
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Setting target="_blank" on anchor tags is unsafe unless used in conjunction with rel="noopener".
This is a back-port of dd3afdc (#4789) to fix the problem in version 2.x.
@shockey @JonathanParrilla PTAL
Description
I ran
grep -r target src/main/template
to find all places where we are creating links to external URLs and then fixed these places by addingrel="noopener noreferrer"
attribute.Motivation and Context
In LoopBack, we are depending on swagger-ui version 2.x (see https:/strongloop/loopback-component-explorer). We tried to upgrade to 3.x, but found that such upgrade requires too much effort, and thus decided to stick with 2.x.
Now we are seeing a security vulnerability reported for our module. I believe we are not affected by the vulnerability, because the possibly-malicious URLs are fully under control of the person running swagger-ui, but it still look bad that security checkers are reporting a vulnerability.
Can we back-port the fix from 3.x to 2.x please?
How Has This Been Tested?
I tried to run
npm test
, unfortunately it failed with a cryptic error:I also try to run
mocha
directly, unfortunately that failed too in the testshould have "Swagger UI" in title
with no diagnostic messages :(Could you please advise how can/should I test this change?
Screenshots (if appropriate):
n/a
Checklist
My PR contains...
src/
is unmodified: changes to documentation, CI, metadata, etc.)package.json
)My changes...
Documentation
Automated tests