[koha-commits] main Koha release repository branch master updated. v3.22.00-900-g6c1b39b

Git repo owner gitmaster at git.koha-community.org
Mon Mar 21 21:37:51 CET 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, master has been updated
       via  6c1b39b4cbceb1a414a91865e15612385c2eb5b7 (commit)
      from  ec3387185dc9d388bf586abd84cfbba2f3153215 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6c1b39b4cbceb1a414a91865e15612385c2eb5b7
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Fri Mar 18 08:34:22 2016 +0000

    Bug 16095: Remove target="_blank" when a link refer to an external link
    
    If you click on a link that opens a new tab/window to another site, that tab
    has access to the original window through JavaScript. The browsing context is
    related, even if the domains are totally different.
    
    The tab retains access to the original window's object via window.opener, even
    if you navigate to another page or domain, in the new or original window.
    Access to the Window object means the new window can use Window.location to
    open a different URL in the original window, perfect for phishing attacks.
    
    Depending on the site's Same-Origin Policy settings, the new window may have
    access to other parts of the original window's DOM as well.
    
    Any  'A HREF' that contains a target of of '_blank' or '_new' or a fixed name
    is vulnerable. Previous security best practice often suggested creating a random
    fixed name for an unpredictable namespace - that won't help with this problem!
    Targets of '_self' and '_parent' are safe.
    
    We do not use _new (at first glance) but several _blank. Some are used
    to refer internal url, we do not need to update or remove them. Others
    are used to satisfy OPACURLOpenInNewWindow, in these case, we should add
    the rel="noreferrer" attribute to the a tags.
    In other cases, we can simply remove them and let the users discover
    that a mouse has more than one button (we are in 2016, they can do it!)
    
    Signed-off-by: Chris <chrisc at catalyst.net.nz>
    
    Signed-off-by: Jesse Weaver <jweaver at bywatersolutions.com>
    
    Signed-off-by: Brendan Gallagher brendan at bywatersolutions.com

-----------------------------------------------------------------------

Summary of changes:
 koha-tmpl/intranet-tmpl/prog/en/modules/about.tt   |    4 +--
 .../prog/en/modules/acqui/supplier.tt              |    2 +-
 .../intranet-tmpl/prog/en/modules/basket/basket.tt |    2 +-
 .../prog/en/modules/catalogue/detail.tt            |    2 +-
 .../opac-tmpl/bootstrap/en/modules/opac-basket.tt  |    4 +--
 .../opac-tmpl/bootstrap/en/modules/opac-detail.tt  |   32 ++++++++++----------
 .../opac-tmpl/bootstrap/en/modules/opac-idref.tt   |    2 +-
 koha-tmpl/opac-tmpl/bootstrap/js/google-jackets.js |    2 +-
 8 files changed, 25 insertions(+), 25 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list