Does _blank vulnerability, affect RT templates etc?
-
-
- oj09
- Hero Rocketeer
- Posts: 395
- Thanks: 0
-
Hi There,
I happened upon this issue https://dev.to/ben/the-targetblank-vulnerability-by-example that admittedly seems to have been around for quite a long time, but I'm only just aware of it. Naturally, this then made me concerned as to how RT templates deal with any "Open in New Window' ability, in for e.g. "Gantry" related modules etc?
Is this not something that is needed for RT / Gantry itself, as you enable users to utilise their chosen 3rd party Text Editor within their Joomla sites when using RT based templates, thus RT is free of this need?
Or does it still need to support "When the target is set to "_blank", rel="noopener noreferrer" is added to any links in a RT template / gantry module or particle."?
So, if it is needed to be incorporated within RT is this vulnerability already covered, whilst not directly RocketTheme's itself, as I wonder how many Joomla component users globally, are utilising standard target _blank to open their / external content in their various components, extensions and editor parameters etc - without this addition in the open in new window markup?
I know that JCE have just released a new beta version of their editor "I have fixed this in JCE Pro 2.6.9 Beta6 When the target is set to "_blank", rel="noopener noreferrer" is added to the link." - covering off this vulnerability within hours of me asking them the same question, where I've also been in touch with various 3rd party component, extension, module or plugin developers who I actively utilise their wares.
Also apparently TinyMCE have also recently done the same but it's still important to ask you guys and double check what's what at your end.
If it has no knock on effect, then delete this threat but best to be safer than sorry.
Regards,
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13481
- Web Designer/Developer
-
I've passed the information on to our DEVS - I was not aware of this but let's see what they say...
Regards, Mark. -
The following users have thanked you: oj09
- Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
-
-
- oj09
- Hero Rocketeer
- Posts: 395
- Thanks: 0
-
No worries Mark, thanks in advance.
I've also just posted similar in the Joomla FB group and may for what it's worth put it directly to Joomla.org but I would imagine the former would do this as a matter of course anyway.
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13481
- Web Designer/Developer
-
If you are using Gantry 5 just add this JS as an asset on the base outline.
Obviously make sure that you have jQuery loaded in the frameworks atom too.jQuery(window).load(function() { jQuery("a[target='_blank']").attr("rel", "noopener noreferer"); });
Regards, Mark. - Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
-
-
- oj09
- Hero Rocketeer
- Posts: 395
- Thanks: 0
-
Mark,
Thanks for that but can I clarify, as I've never had to use any JS assets in this way in my template before.
In Base Outine > Page Settings > Assets > Javascript (section) > + = Add new Item?
This image is hidden for guests.
Please log in or register to see it.
Also, when you say make sure I have JQuery loaded in the frameworks Atom too, how do I check this?
Regards,
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13481
- Web Designer/Developer
-
Yes, now click on the "new item" and put the JS in - I would also rename that "new item" to something more meaningful.
Scroll further down the page and you will see the "JS Frameworks" atom in the atom section - click on the "cog" icon for it's settings and make sure that "JQuery" is toggled on.
By the way, to fix this properly really requires browsers should be changed, and they're all in the process of doing this... Firefox will be fixed in FF52 due out soon.
Regards, Mark. - Last Edit: 7 years 1 month ago by MrT.
- Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
Time to create page: 0.041 seconds