Merge branch 'fix-links-target-blank' into 'security'

Adds rel="noopener noreferrer" to all links with target="_blank" See merge request !2071

Merge branch 'fix-links-target-blank' into 'security'
c5a9d73a · Jacob Schatz · DJ Mountney · 153b594c · c5a9d73a · c5a9d73a
Commit c5a9d73a authored 7 years ago by Jacob Schatz Committed by DJ Mountney 7 years ago
--- a/app/assets/javascripts/environments/components/environment_external_url.js
+++ b/app/assets/javascripts/environments/components/environment_external_url.js
@@ -14,6 +14,7 @@ export default {
      class="btn external_url"
      :href="externalUrl"
      target="_blank"
+      rel="noopener noreferrer"
      title="Environment external URL">
      <i class="fa fa-external-link" aria-hidden="true"></i>
    </a>

--- a/app/assets/javascripts/merge_request_widget.js
+++ b/app/assets/javascripts/merge_request_widget.js
@@ -14,13 +14,13 @@ import MiniPipelineGraph from './mini_pipeline_graph_dropdown';
         <%= ci_success_icon %>
         <span>
           Deployed to
-           <a href="<%- url %>" target="_blank" class="environment">
+           <a href="<%- url %>" target="_blank" rel="noopener noreferrer" class="environment">
             <%- name %>
           </a>
           <span class="js-environment-timeago" data-toggle="tooltip" data-placement="top" data-title="<%- deployed_at_formatted %>">
             <%- deployed_at %>
           </span>
-           <a class="js-environment-link" href="<%- external_url %>" target="_blank">
+           <a class="js-environment-link" href="<%- external_url %>" target="_blank" rel="noopener noreferrer">
             <i class="fa fa-external-link"></i>
             View on <%- external_url_formatted %>
           </a>

--- a/app/helpers/blob_helper.rb
+++ b/app/helpers/blob_helper.rb
@@ -215,6 +215,6 @@ module BlobHelper
  end
  
  def open_raw_file_button(path)
-    link_to icon('file-code-o'), path, class: 'btn btn-sm has-tooltip', target: '_blank', title: 'Open raw', data: { container: 'body' }
+    link_to icon('file-code-o'), path, class: 'btn btn-sm has-tooltip', target: '_blank', rel: 'noopener noreferrer', title: 'Open raw', data: { container: 'body' }
  end
 end
--- a/app/helpers/commits_helper.rb
+++ b/app/helpers/commits_helper.rb
@@ -211,7 +211,7 @@ module CommitsHelper
    external_url = environment.external_url_for(diff_new_path, commit_sha)
    return unless external_url
  
-    link_to(external_url, class: 'btn btn-file-option has-tooltip', target: '_blank', title: "View on #{environment.formatted_external_url}", data: { container: 'body' }) do
+    link_to(external_url, class: 'btn btn-file-option has-tooltip', target: '_blank', rel: 'noopener noreferrer', title: "View on #{environment.formatted_external_url}", data: { container: 'body' }) do
      icon('external-link')
    end
  end

--- a/app/helpers/import_helper.rb
+++ b/app/helpers/import_helper.rb
@@ -7,7 +7,7 @@ module ImportHelper
  def provider_project_link(provider, path_with_namespace)
    url = __send__("#{provider}_project_url", path_with_namespace)
  
-    link_to path_with_namespace, url, target: '_blank'
+    link_to path_with_namespace, url, target: '_blank', rel: 'noopener noreferrer'
  end
  
  private

--- a/app/views/admin/appearances/_form.html.haml
+++ b/app/views/admin/appearances/_form.html.haml
@@ -48,7 +48,7 @@
  .form-actions
    = f.submit 'Save', class: 'btn btn-save append-right-10'
    - if @appearance.persisted?
-      = link_to 'Preview last save', preview_admin_appearances_path, class: 'btn', target: '_blank'
+      = link_to 'Preview last save', preview_admin_appearances_path, class: 'btn', target: '_blank', rel: 'noopener noreferrer'
  
    - if @appearance.updated_at
      %span.pull-right

--- a/app/views/admin/application_settings/_form.html.haml
+++ b/app/views/admin/application_settings/_form.html.haml
@@ -404,7 +404,7 @@
            Enable Sentry
          .help-block
            Sentry is an error reporting and logging tool which is currently not shipped with GitLab, get it here:
-            %a{ href: 'https://getsentry.com', target: '_blank' } https://getsentry.com
+            %a{ href: 'https://getsentry.com', target: '_blank', rel: 'noopener noreferrer' } https://getsentry.com
  
    .form-group
      = f.label :sentry_dsn, 'Sentry DSN', class: 'control-label col-sm-2'

--- a/app/views/events/event/_note.html.haml
+++ b/app/views/events/event/_note.html.haml
@@ -15,6 +15,6 @@
        = link_to note.attachment.url, target: '_blank' do
          = image_tag note.attachment.url, class: 'note-image-attach'
      - else
-        = link_to note.attachment.url, target: "_blank", class: 'note-file-attach' do
+        = link_to note.attachment.url, target: '_blank',  class: 'note-file-attach' do
          %i.fa.fa-paperclip
          = note.attachment_identifier
--- a/app/views/help/index.html.haml
+++ b/app/views/help/index.html.haml
@@ -17,7 +17,7 @@
    %br
    Used by more than 100,000 organizations, GitLab is the most popular solution to manage git repositories on-premises.
    %br
-    Read more about GitLab at #{link_to promo_host, promo_url, target: '_blank'}.
+    Read more about GitLab at #{link_to promo_host, promo_url, target: '_blank', rel: 'noopener noreferrer'}.
    - if current_application_settings.help_page_text.present?
      %hr
      = markdown_field(current_application_settings, :help_page_text)

--- a/app/views/import/bitbucket/status.html.haml
+++ b/app/views/import/bitbucket/status.html.haml
@@ -33,7 +33,7 @@
      - @already_added_projects.each do |project|
        %tr{ id: "project_#{project.id}", class: "#{project_status_css_class(project.import_status)}" }
          %td
-            = link_to project.import_source, "https://bitbucket.org/#{project.import_source}", target: '_blank'
+            = link_to project.import_source, "https://bitbucket.org/#{project.import_source}", target: '_blank', rel: 'noopener noreferrer'
          %td
            = link_to project.path_with_namespace, [project.namespace.becomes(Namespace), project]
          %td.job-status
@@ -50,7 +50,7 @@
      - @repos.each do |repo|
        %tr{ id: "repo_#{repo.owner}___#{repo.slug}" }
          %td
-            = link_to repo.full_name, "https://bitbucket.org/#{repo.full_name}", target: "_blank"
+            = link_to repo.full_name, "https://bitbucket.org/#{repo.full_name}", target: '_blank', rel: 'noopener noreferrer'
          %td.import-target
            %fieldset.row
            .input-group
@@ -70,7 +70,7 @@
      - @incompatible_repos.each do |repo|
        %tr{ id: "repo_#{repo.owner}___#{repo.slug}" }
          %td
-            = link_to repo.full_name, "https://bitbucket.org/#{repo.full_name}", target: '_blank'
+            = link_to repo.full_name, "https://bitbucket.org/#{repo.full_name}", target: '_blank', rel: 'noopener noreferrer'
          %td.import-target
          %td.import-actions-job-status
            = label_tag 'Incompatible Project', nil, class: 'label label-danger'

--- a/app/views/import/gitlab/status.html.haml
+++ b/app/views/import/gitlab/status.html.haml
@@ -43,7 +43,7 @@
      - @repos.each do |repo|
        %tr{ id: "repo_#{repo["id"]}" }
          %td
-            = link_to repo["path_with_namespace"], "https://gitlab.com/#{repo["path_with_namespace"]}", target: "_blank"
+            = link_to repo["path_with_namespace"], "https://gitlab.com/#{repo["path_with_namespace"]}", target: "_blank", rel: 'noopener noreferrer'
          %td.import-target
            = import_project_target(repo['namespace']['path'], repo['name'])
          %td.import-actions.job-status

--- a/app/views/import/google_code/new.html.haml
+++ b/app/views/import/google_code/new.html.haml
@@ -13,7 +13,7 @@
    %li
      %p
        Go to
-        #{link_to "Google Takeout", "https://www.google.com/settings/takeout", target: "_blank"}.
+        #{link_to "Google Takeout", "https://www.google.com/settings/takeout", target: '_blank', rel: 'noopener noreferrer'}.
    %li
      %p
        Make sure you're logged into the account that owns the projects you'd like to import.

--- a/app/views/import/google_code/status.html.haml
+++ b/app/views/import/google_code/status.html.haml
@@ -36,7 +36,7 @@
      - @already_added_projects.each do |project|
        %tr{ id: "project_#{project.id}", class: "#{project_status_css_class(project.import_status)}" }
          %td
-            = link_to project.import_source, "https://code.google.com/p/#{project.import_source}", target: "_blank"
+            = link_to project.import_source, "https://code.google.com/p/#{project.import_source}", target: "_blank", rel: 'noopener noreferrer'
          %td
            = link_to project.path_with_namespace, [project.namespace.becomes(Namespace), project]
          %td.job-status
@@ -53,7 +53,7 @@
      - @repos.each do |repo|
        %tr{ id: "repo_#{repo.id}" }
          %td
-            = link_to repo.name, "https://code.google.com/p/#{repo.name}", target: "_blank"
+            = link_to repo.name, "https://code.google.com/p/#{repo.name}", target: "_blank", rel: 'noopener noreferrer'
          %td.import-target
            #{current_user.username}/#{repo.name}
          %td.import-actions.job-status
@@ -63,7 +63,7 @@
      - @incompatible_repos.each do |repo|
        %tr{ id: "repo_#{repo.id}" }
          %td
-            = link_to repo.name, "https://code.google.com/p/#{repo.name}", target: "_blank"
+            = link_to repo.name, "https://code.google.com/p/#{repo.name}", target: "_blank", rel: 'noopener noreferrer'
          %td.import-target
          %td.import-actions-job-status
            = label_tag "Incompatible Project", nil, class: "label label-danger"

--- a/app/views/koding/index.html.haml
+++ b/app/views/koding/index.html.haml
@@ -2,5 +2,5 @@
  %p
    = icon('circle', class: 'cgreen')
    Integration is active for
-    = link_to koding_project_url, target: '_blank' do
+    = link_to koding_project_url, target: '_blank', rel: 'noopener noreferrer' do
      #{current_application_settings.koding_url}
--- a/app/views/profiles/show.html.haml
+++ b/app/views/profiles/show.html.haml
@@ -18,7 +18,7 @@
            or change it at #{link_to Gitlab.config.gravatar.host, "http://" + Gitlab.config.gravatar.host}
    .col-lg-9
      .clearfix.avatar-image.append-bottom-default
-        = link_to avatar_icon(@user, 400), target: '_blank' do
+        = link_to avatar_icon(@user, 400), target: '_blank', rel: 'noopener noreferrer' do
          = image_tag avatar_icon(@user, 160), alt: '', class: 'avatar s160'
      %h5.prepend-top-0
        Upload new avatar

--- a/app/views/projects/blob/_image.html.haml
+++ b/app/views/projects/blob/_image.html.haml
@@ -9,7 +9,7 @@
    - else
      .nothing-here-block
        The SVG could not be displayed as it is too large, you can
-        #{link_to('view the raw file', namespace_project_raw_path(@project.namespace, @project, @id), target: '_blank')}
+        #{link_to('view the raw file', namespace_project_raw_path(@project.namespace, @project, @id), target: '_blank', rel: 'noopener noreferrer')}
        instead.
  - else
    %img{ src: namespace_project_raw_path(@project.namespace, @project, tree_join(@commit.id, blob.path)), alt: "#{blob.name}" }
--- a/app/views/projects/blob/_text.html.haml
+++ b/app/views/projects/blob/_text.html.haml
@@ -3,7 +3,7 @@
    .nothing-here-block
      File too large, you can
      = succeed '.' do
-        = link_to 'view the raw file', namespace_project_raw_path(@project.namespace, @project, @id), target: '_blank'
+        = link_to 'view the raw file', namespace_project_raw_path(@project.namespace, @project, @id), target: '_blank', rel: 'noopener noreferrer'
  
 - else
  - blob.load_all_data!(@repository)

--- a/app/views/projects/blob/edit.html.haml
+++ b/app/views/projects/blob/edit.html.haml
@@ -9,7 +9,7 @@
  - if @conflict
    .alert.alert-danger
      Someone edited the file the same time you did. Please check out
-      = link_to "the file", namespace_project_blob_path(@project.namespace, @project, tree_join(@target_branch, @file_path)), target: "_blank"
+      = link_to "the file", namespace_project_blob_path(@project.namespace, @project, tree_join(@target_branch, @file_path)), target: "_blank", rel: 'noopener noreferrer'
      and make sure your changes will not unintentionally remove theirs.
  
  .file-editor

--- a/app/views/projects/buttons/_koding.html.haml
+++ b/app/views/projects/buttons/_koding.html.haml
 - if koding_enabled? && current_user && @repository.koding_yml && can_push_branch?(@project, @project.default_branch)
-  = link_to koding_project_url(@project), class: 'btn project-action-button inline', target: '_blank' do
+  = link_to koding_project_url(@project), class: 'btn project-action-button inline', target: '_blank', rel: 'noopener noreferrer' do
    Run in IDE (Koding)
--- a/app/views/projects/cycle_analytics/_overview.html.haml
+++ b/app/views/projects/cycle_analytics/_overview.html.haml
@@ -9,7 +9,7 @@
              Cycle Analytics gives an overview of how much time it takes to go from idea to production in your project.
              To set up CA, you must first define a production environment by setting up your CI and then deploy to production.
            %p
-              %a.btn{ href: help_page_path('user/project/cycle_analytics'), target: "_blank" } Read more
+              %a.btn{ href: help_page_path('user/project/cycle_analytics'), target: '_blank' } Read more
          .col-md-6.overview-image
            %span.overview-icon
              = custom_icon ('icon_cycle_analytics_overview')