Bug 16095: Remove target="_blank" when a link refer to an external link

If you click on a link that opens a new tab/window to another site, that tab
has access to the original window through JavaScript. The browsing context is
related, even if the domains are totally different.

The tab retains access to the original window's object via window.opener, even
if you navigate to another page or domain, in the new or original window.
Access to the Window object means the new window can use Window.location to
open a different URL in the original window, perfect for phishing attacks.

Depending on the site's Same-Origin Policy settings, the new window may have
access to other parts of the original window's DOM as well.

Any  'A HREF' that contains a target of of '_blank' or '_new' or a fixed name
is vulnerable. Previous security best practice often suggested creating a random
fixed name for an unpredictable namespace - that won't help with this problem!
Targets of '_self' and '_parent' are safe.

We do not use _new (at first glance) but several _blank. Some are used
to refer internal url, we do not need to update or remove them. Others
are used to satisfy OPACURLOpenInNewWindow, in these case, we should add
the rel="noreferrer" attribute to the a tags.
In other cases, we can simply remove them and let the users discover
that a mouse has more than one button (we are in 2016, they can do it!)

Signed-off-by: Chris <chrisc@catalyst.net.nz>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/about.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/about.tt
index f52f587..dfe9d76 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/about.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/about.tt
@@ -707,12 +707,12 @@
                 </ul>
 
             <h2>jQuery Star Rating Plugin</h2>
-              <p>jQuery Star Rating Plugin v3.14 by <a href="http://www.fyneworks.com/">Fyneworks.com</a> is licensed under the <a target="_blank" href="http://en.wikipedia.org/wiki/MIT_License">MIT License</a> and the <a target="_blank" href="http://creativecommons.org/licenses/GPL/2.0/">GPL License</a>.</p>
+              <p>jQuery Star Rating Plugin v3.14 by <a href="http://www.fyneworks.com/">Fyneworks.com</a> is licensed under the <a href="http://en.wikipedia.org/wiki/MIT_License">MIT License</a> and the <a href="http://creativecommons.org/licenses/GPL/2.0/">GPL License</a>.</p>
 
             <p>Copyright &copy; 2008 <a href="http://www.fyneworks.com/">Fyneworks.com</a></p>
 
             <h2>jQuery insertAtCaret Plugin</h2>
-            <p>jQuery insertAtCaret Plugin v1.0 by the phpMyAdmin devel team is licensed under the <a target="_blank" href="http://www.gnu.org/licenses/gpl.html">GPL License</a>.</p>
+            <p>jQuery insertAtCaret Plugin v1.0 by the phpMyAdmin devel team is licensed under the <a href="http://www.gnu.org/licenses/gpl.html">GPL License</a>.</p>
 
             <p>Copyright &copy; 2003-2010 phpMyAdmin devel team</p>
 

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt
index 74ff5f7..9fedd03 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt
@@ -315,7 +315,7 @@ function delete_contact(ev) {
                 <p><span class="label">Phone: </span>[% phone %]</p>
                 <p><span class="label">Fax: </span>[% fax %]</p>
                 [% IF ( url ) %]
-                    <p><span class="label">Website: </span><a href="[% url %]" target="_blank">[% url %]</a></p>
+                    <p><span class="label">Website: </span><a href="[% url %]">[% url %]</a></p>
                 [% END %]
                 [% IF ( accountnumber ) %]
                     <p><span class="label">Account number: </span>[% accountnumber %]</p>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/basket/basket.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/basket/basket.tt
index a6e7c57..8ba7dab 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/basket/basket.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/basket/basket.tt
@@ -244,7 +244,7 @@ function batchDelete(){
             [% FOREACH MARCNOTE IN BIBLIO_RESULT.MARCNOTES %]
                 <p>
                 [% IF MARCNOTE.marcnote.match('^https?://\S+$') %]
-                    - <a target="_blank" href="[% MARCNOTE.marcnote %]">[% MARCNOTE.marcnote %]</a>
+                    - <a href="[% MARCNOTE.marcnote %]">[% MARCNOTE.marcnote %]</a>
                 [% ELSE %]
                     - [% MARCNOTE.marcnote %]
                 [% END %]

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt
index 40681f3..5cf6697 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt
@@ -858,7 +858,7 @@ function verify_images() {
     [% FOREACH MARCNOTE IN MARCNOTES %]
         <p>
         [% IF MARCNOTE.marcnote.match('^https?://\S+$') %]
-            <a target="_blank" href="[% MARCNOTE.marcnote %]">[% MARCNOTE.marcnote %]</a>
+            <a href="[% MARCNOTE.marcnote %]">[% MARCNOTE.marcnote %]</a>
         [% ELSE %]
             [% MARCNOTE.marcnote FILTER html_line_break %]
         [% END %]

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-basket.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-basket.tt
index 25661ff..fa7e496 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-basket.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-basket.tt
@@ -153,7 +153,7 @@
                                                 [% FOREACH MARCNOTE IN BIBLIO_RESULT.MARCNOTES %]
                                                     <p>
                                                     [% IF MARCNOTE.marcnote.match('^https?://\S+$') %]
-                                                        - <a target="_blank" href="[% MARCNOTE.marcnote %]">[% MARCNOTE.marcnote %]</a>
+                                                        - <a href="[% MARCNOTE.marcnote %]">[% MARCNOTE.marcnote %]</a>
                                                     [% ELSE %]
                                                         - [% MARCNOTE.marcnote %]
                                                     [% END %]
@@ -206,7 +206,7 @@
                                                         [% IF MARCurl.part %]<p>[% MARCurl.part %]</p>[% END %]
 
                                                         [% IF OPACURLOpenInNewWindow %]
-                                                            <a href="[% MARCurl.MARCURL %]" title="[% MARCurl.MARCURL %]" target="_blank">[% MARCurl.linktext %]</a>
+                                                            <a href="[% MARCurl.MARCURL %]" title="[% MARCurl.MARCURL %]" target="_blank" rel="noreferrer">[% MARCurl.linktext %]</a>
                                                         [% ELSE %]
                                                             <a href="[% MARCurl.MARCURL %]" title="[% MARCurl.MARCURL %]">[% MARCurl.linktext %]</a>
                                                         [% END %]

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt
index 6bdcc47..e9a52b6 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt
@@ -54,7 +54,7 @@
                     [% END %]
                     [% IF ( OPACAmazonCoverImages ) %]
                         [% IF ( OPACURLOpenInNewWindow ) %]
-                            <a href="http://www.amazon[% AmazonTld %]/gp/reader/[% normalized_isbn %]/ref=sib_dp_pt/002-7879865-0184864#reader-link" target="_blank">
+                            <a href="http://www.amazon[% AmazonTld %]/gp/reader/[% normalized_isbn %]/ref=sib_dp_pt/002-7879865-0184864#reader-link" target="_blank" rel="noreferrer">
                         [% ELSE %]
                             <a href="http://www.amazon[% AmazonTld %]/dp/[% normalized_isbn %]">
                         [% END %]
@@ -88,7 +88,7 @@
                     [% IF ( BakerTaylorEnabled && bt_id ) %]
                         [% IF BakerTaylorBookstoreURL %]
                             [% IF ( OPACURLOpenInNewWindow ) %]
-                                <a href="https://[% BakerTaylorBookstoreURL |html %][% bt_id %]" target="_blank"><img alt="See Baker &amp; Taylor" src="[% BakerTaylorImageURL |html %][% bt_id %]" /></a>
+                                <a href="https://[% BakerTaylorBookstoreURL |html %][% bt_id %]" target="_blank" rel="noreferrer"><img alt="See Baker &amp; Taylor" src="[% BakerTaylorImageURL |html %][% bt_id %]" /></a>
                             [% ELSE %]
                                 <a href="https://[% BakerTaylorBookstoreURL |html %][% bt_id %]"><img alt="See Baker &amp; Taylor" src="[% BakerTaylorImageURL |html %][% bt_id %]" /></a>
                             [% END %]
@@ -337,9 +337,9 @@
 
                                         [% IF ( OPACURLOpenInNewWindow ) %]
                                             [% IF trackclicks == 'track' || trackclicks == 'anonymous' %]
-                                                <a href="/cgi-bin/koha/tracklinks.pl?uri=[% MARCurl.MARCURL |url%]&amp;biblionumber=[% biblionumber | url %]" title="[% MARCurl.MARCURL %]" target="_blank">
+                                                <a href="/cgi-bin/koha/tracklinks.pl?uri=[% MARCurl.MARCURL |url%]&amp;biblionumber=[% biblionumber | url %]" title="[% MARCurl.MARCURL %]" target="_blank" rel="noreferrer">
                                             [% ELSE %]
-                                                <a href="[% MARCurl.MARCURL %]" title="[% MARCurl.MARCURL %]" target="_blank">
+                                                <a href="[% MARCurl.MARCURL %]" title="[% MARCurl.MARCURL %]" target="_blank" rel="noreferrer">
                                             [% END %]
                                         [% ELSE %]
                                             [% IF trackclicks == 'track' || trackclicks == 'anonymous' %]
@@ -436,9 +436,9 @@
                             <span class="results_summary">
                                 <span class="label">Series information:</span>
                                 [% IF ( using_https ) %]
-                                    <a target="_blank" href="https://secure.syndetics.com/ffseries.aspx?isbn=[% normalized_isbn %]&amp;type=series&amp;num=1&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]">Click to open in new window</a>
+                                    <a target="_blank" rel="noreferrer" href="https://secure.syndetics.com/ffseries.aspx?isbn=[% normalized_isbn %]&amp;type=series&amp;num=1&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]">Click to open in new window</a>
                                 [% ELSE %]
-                                    <a target="_blank" href="http://www.syndetics.com/ffseries.aspx?isbn=[% normalized_isbn %]&amp;type=series&amp;num=1&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]">Click to open in new window</a>
+                                    <a target="_blank" rel="noreferrer" href="http://www.syndetics.com/ffseries.aspx?isbn=[% normalized_isbn %]&amp;type=series&amp;num=1&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]">Click to open in new window</a>
                                 [% END %]
                             </span>
                         [% END # / IF SyndeticsSeries && SyndeticsSERIES1Exists%]
@@ -446,9 +446,9 @@
                             <span class="results_summary">
                                 <span class="label">Audiovisual profile:</span>
                                 [% IF ( using_https ) %]
-                                    <a target="_blank" href="https://secure.syndetics.com/index.aspx?isbn=[% normalized_isbn %]/avprofile.html&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]&amp;type=xw10">Click to open in new window</a>
+                                    <a target="_blank" rel="noreferrer" href="https://secure.syndetics.com/index.aspx?isbn=[% normalized_isbn %]/avprofile.html&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]&amp;type=xw10">Click to open in new window</a>
                                 [% ELSE %]
-                                    <a target="_blank" href="http://www.syndetics.com/index.aspx?isbn=[% normalized_isbn %]/avprofile.html&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]&amp;type=xw10">Click to open in new window</a>
+                                    <a target="_blank" rel="noreferrer" href="http://www.syndetics.com/index.aspx?isbn=[% normalized_isbn %]/avprofile.html&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]&amp;type=xw10">Click to open in new window</a>
                                 [% END %]
                             </span>
                         [% END # / IF SyndeticsAVPROFILEExists %]
@@ -457,9 +457,9 @@
                             <span class="results_summary">
                             <span class="label">Fiction notes:</span>
                                 [% IF ( using_https ) %]
-                                    <a target="_blank" href="https://secure.syndetics.com/index.aspx?isbn=[% normalized_isbn %]/fiction.html&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]&amp;type=xw10">Click to open in new window</a>
+                                    <a target="_blank" rel="noreferrer" href="https://secure.syndetics.com/index.aspx?isbn=[% normalized_isbn %]/fiction.html&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]&amp;type=xw10">Click to open in new window</a>
                                 [% ELSE %]
-                                    <a target="_blank" href="http://www.syndetics.com/index.aspx?isbn=[% normalized_isbn %]/fiction.html&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]&amp;type=xw10">Click to open in new window</a>
+                                    <a target="_blank" rel="noreferrer" href="http://www.syndetics.com/index.aspx?isbn=[% normalized_isbn %]/fiction.html&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]&amp;type=xw10">Click to open in new window</a>
                                 [% END %]
                             </span>
                         [% END # / IF SyndeticsFICTIONExists %]
@@ -468,9 +468,9 @@
                             <span class="results_summary">
                                 <span class="label">Awards:</span>
                                 [% IF ( using_https ) %]
-                                    <a target="_blank" href="https://secure.syndetics.com/ffawards.aspx?isbn=[% normalized_isbn %]&amp;type=awards&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]">Click to open in new window</a>
+                                    <a target="_blank" rel="noreferrer" href="https://secure.syndetics.com/ffawards.aspx?isbn=[% normalized_isbn %]&amp;type=awards&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]">Click to open in new window</a>
                                 [% ELSE %]
-                                    <a target="_blank" href="http://www.syndetics.com/ffawards.aspx?isbn=[% normalized_isbn %]&amp;type=awards&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]">Click to open in new window</a>
+                                    <a target="_blank" rel="noreferrer" href="http://www.syndetics.com/ffawards.aspx?isbn=[% normalized_isbn %]&amp;type=awards&amp;client=[% SyndeticsClientCode %][% IF ( normalized_upc ) %]&amp;upc=[% normalized_upc %][% END %][% IF ( normalized_oclc ) %]&amp;oclc=[% normalized_oclc %][% END %]">Click to open in new window</a>
                                 [% END %]
                             </span>
                         [% END # / IF SyndeticsAwards && SyndeticsAWARDS1Exists %]
@@ -515,7 +515,7 @@
                     [% IF ( BakerTaylorContentURL ) %]
                         <span class="results_summary">
                         <span class="label">Enhanced content: </span>
-                              [% IF ( OPACURLOpenInNewWindow ) %]<a href="[% BakerTaylorContentURL |html %]" target="_blank">Content Cafe</a>[% ELSE %]<a href="[% BakerTaylorContentURL |html %]">Content Cafe</a>[% END %]
+                              [% IF ( OPACURLOpenInNewWindow ) %]<a href="[% BakerTaylorContentURL |html %]" target="_blank" rel="noreferrer">Content Cafe</a>[% ELSE %]<a href="[% BakerTaylorContentURL |html %]">Content Cafe</a>[% END %]
                         </span>
                     [% END # / IF BakerTaylorContentURL %]
 
@@ -719,7 +719,7 @@
                                 [% FOREACH MARCNOTE IN MARCNOTES %]
                                     <p>
                                     [% IF MARCNOTE.marcnote.match('^https?://\S+$') %]
-                                        <a target="_blank" href="[% MARCNOTE.marcnote %]">[% MARCNOTE.marcnote %]</a>
+                                        <a href="[% MARCNOTE.marcnote %]">[% MARCNOTE.marcnote %]</a>
                                     [% ELSE %]
                                         [% MARCNOTE.marcnote FILTER html_line_break %]
                                     [% END %]
@@ -1287,13 +1287,13 @@
                             [% IF ITEM_RESULT.uri %]
                                 [% IF trackclicks == 'track' || trackclicks == 'anonymous' %]
                                     [% IF Koha.Preference("OPACURLOpenInNewWindow") %]
-                                    <a target="_blank" href="/cgi-bin/koha/tracklinks.pl?uri=[% ITEM_RESULT.uri | url %]&amp;biblionumber=[% biblionumber |url %]&amp;itemnumber=[% ITEM_RESULT.itemnumber | url %]" property="url"> Link to resource </a>
+                                    <a target="_blank" rel="noreferrer" href="/cgi-bin/koha/tracklinks.pl?uri=[% ITEM_RESULT.uri | url %]&amp;biblionumber=[% biblionumber |url %]&amp;itemnumber=[% ITEM_RESULT.itemnumber | url %]" property="url"> Link to resource </a>
                                     [% ELSE %]
                                     <a href="/cgi-bin/koha/tracklinks.pl?uri=[% ITEM_RESULT.uri | url %]&amp;biblionumber=[% biblionumber |url %]&amp;itemnumber=[% ITEM_RESULT.itemnumber | url %]" property="url"> Link to resource </a>
                                     [% END %]
                                 [% ELSE %]
                                     [% IF Koha.Preference("OPACURLOpenInNewWindow") %]
-                                    <a target="_blank" href="[% ITEM_RESULT.uri %]" property="url">[% ITEM_RESULT.uri %]</a>
+                                    <a target="_blank" rel="noreferrer" href="[% ITEM_RESULT.uri %]" property="url">[% ITEM_RESULT.uri %]</a>
                                     [% ELSE %]
                                     <a href="[% ITEM_RESULT.uri %]" property="url">[% ITEM_RESULT.uri %]</a>
                                     [% END %]

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-idref.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-idref.tt
index 85a0191..fdb1d72 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-idref.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-idref.tt
@@ -36,7 +36,7 @@
                   <tr>
                     <td>[% doc.citation %]</td>
                     <td><a href="/cgi-bin/koha/opac-search.pl?q=ident:[% doc.ppn %]" target="_blank">Koha</a></td>
-                    <td><a href="http://www.sudoc.fr/[% doc.ppn %]" target="_blank">Sudoc</a></td>
+                    <td><a href="http://www.sudoc.fr/[% doc.ppn %]" target="_blank" rel="noreferrer">Sudoc</a></td>
                   </tr>
                 [% END %]
               </tbody>

diff --git a/koha-tmpl/opac-tmpl/bootstrap/js/google-jackets.js b/koha-tmpl/opac-tmpl/bootstrap/js/google-jackets.js
index bede2d7..49566ed 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/js/google-jackets.js
+++ b/koha-tmpl/opac-tmpl/bootstrap/js/google-jackets.js
@@ -41,7 +41,7 @@ KOHA.Google = {
     gbsCallBack: function(booksInfo) {
          var target = '';
          if (this.openInNewWindow) {
-            target = 'target="_blank" ';
+            target = 'target="_blank" rel="noreferrer" ';
          }
          for (id in booksInfo) {
              var book = booksInfo[id];