[CMS-14826] [Backport 14.7] Secure target="_blank" links by default using the HTML-Processor - Issues

XML

Word

Printable

Details

Type: New Feature
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 14.7.0
Component/s: None
Labels:
None

Story Points:
1
Processed by team:
Quasar
Sprint:
Puma sprint 271

Description

A common vulnerability regarding <a> elements with a _blank target (open in new window/tab) is to forget to set the "rel" attribute with value noopener and noreferrer. Also see https://web.dev/external-anchors-use-rel-noopener/

We could fix this in CKEditor, (which was attempted somewhat sometime ago https://groups.google.com/g/hippo-community/c/n2XLSjPMWXs/m/bkAglRuuBQAJ) but I think it is way easier to make this a feature of the HTML-Processor service.

Since it should be a very concise decision to not want to use the noopener and noreferrer "rel" attribute values in case of a target="_blank" link, we can safely introduce this as the default behavior and allow the user to disable it explicitly using configuration.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Arthur Bogaart

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Oct/21 8:16 AM

Updated:: 15/Oct/21 2:05 PM

Resolved:: 15/Oct/21 1:55 PM