Pervent reverse tabnabbing in edx platform

openedx · Aug 28, 2019 · 1a4eb7d · 1a4eb7d
1 parent 1c4f9da
commit 1a4eb7d
Show file tree

Hide file tree

Showing 61 changed files with 120 additions and 103 deletions.
diff --git a/cms/static/js/base.js b/cms/static/js/base.js
@@ -97,7 +97,10 @@ define([
             // general link management - new window/tab
             $('a[rel="external"]:not([title])')
                 .attr('title', gettext('This link will open in a new browser window/tab'));
-            $('a[rel="external"]').attr('target', '_blank');
+            $('a[rel="external"]').attr({
+                rel: 'noopener external',
+                target: '_blank'
+            });
 
             // general link management - lean modal window
             $('a[rel="modal"]').attr('title', gettext('This link will open in a modal window')).leanModal({

diff --git a/cms/templates/container.html b/cms/templates/container.html
@@ -144,7 +144,7 @@ <h3 class="title-3">${_("Working with content experiments")}</h3>
                         <p>${_("Confirm that you have properly configured content in each of your experiment groups.")}</p>
                     </div>
                     <div class="bit external-help">
-                        <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about component containers")}</a>
+                        <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about component containers")}</a>
                     </div>
                 % elif is_unit_page:
                     <div id="publish-unit"></div>

diff --git a/cms/templates/course-create-rerun.html b/cms/templates/course-create-rerun.html
@@ -148,7 +148,7 @@ <h3 class="title-3">${_("What does not transfer from the original course?")}</h3
           </div>
 
           <div class="bit external-help">
-            <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about Course Re-runs")}</a>
+            <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about Course Re-runs")}</a>
           </div>
         </aside>
 

diff --git a/cms/templates/course_outline.html b/cms/templates/course_outline.html
@@ -164,7 +164,7 @@ <h3 class="sr">${_("Page Actions")}</h3>
                     <div style="width: 50%" class="status-studio-frontend">
                 % endif
                     <%static:studiofrontend entry="courseOutlineHealthCheck">
-                        <% 
+                        <%
                             course_key = context_course.id
                         %>
                         {
@@ -188,7 +188,7 @@ <h3 class="sr">${_("Page Actions")}</h3>
                                 "settings": ${reverse('settings_handler', kwargs={'course_key_string': unicode(course_key)})| n, dump_js_escaped_json}
                             }
                         }
-                    </%static:studiofrontend> 
+                    </%static:studiofrontend>
                 </div>
                 <div class="status-highlights-enabled"></div>
             </div>
@@ -218,14 +218,14 @@ <h3 class="title-3">${_("Creating your course organization")}</h3>
                 <h3 class="title-3">${_("Reorganizing your course")}</h3>
                 <p>${_("Drag sections, subsections, and units to new locations in the outline.")}</p>
                 <div class="external-help">
-                    <a href="${get_online_help_info('outline')['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about the course outline")}</a>
+                    <a href="${get_online_help_info('outline')['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about the course outline")}</a>
                 </div>
             </div>
             <div class="bit">
                 <h3 class="title-3">${_("Setting release dates and grading policies")}</h3>
                 <p>${_("Select the Configure icon for a section or subsection to set its release date. When you configure a subsection, you can also set the grading policy and due date.")}</p>
                 <div class="external-help">
-                    <a href="${get_online_help_info('grading')['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about grading policy settings")}</a>
+                    <a href="${get_online_help_info('grading')['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about grading policy settings")}</a>
                 </div>
             </div>
             <div class="bit">
@@ -234,7 +234,7 @@ <h3 class="title-3">${_("Changing the content learners see")}</h3>
                 <p>${Text(_("To make a section, subsection, or unit unavailable to learners, select the Configure icon for that level, then select the appropriate {em_start}Hide{em_end} option. Grades for hidden sections, subsections, and units are not included in grade calculations.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
                 <p>${Text(_("To hide the content of a subsection from learners after the subsection due date has passed, select the Configure icon for a subsection, then select {em_start}Hide content after due date{em_end}. Grades for the subsection remain included in grade calculations.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
                 <div class="external-help">
-                    <a href="${get_online_help_info('visibility')['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about content visibility settings")}</a>
+                    <a href="${get_online_help_info('visibility')['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about content visibility settings")}</a>
                 </div>
             </div>
 

diff --git a/cms/templates/export.html b/cms/templates/export.html
@@ -235,7 +235,7 @@ <h3 class="title-3">${_("Opening the downloaded file")}</h3>
           <p>${_("Use an archive program to extract the data from the .tar.gz file. Extracted data includes the library.xml file, as well as subfolders that contain library content.")}</p>
       </div>
       <div class="bit external-help">
-          <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about exporting a library")}</a>
+          <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about exporting a library")}</a>
       </div>
     </aside>
   %else:
@@ -269,7 +269,7 @@ <h3 class="title-3">${_("Opening the downloaded file")}</h3>
         <p>${_("Use an archive program to extract the data from the .tar.gz file. Extracted data includes the course.xml file, as well as subfolders that contain course content.")}</p>
       </div>
       <div class="bit external-help">
-          <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about exporting a course")}</a>
+          <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about exporting a course")}</a>
       </div>
     </aside>
   %endif

diff --git a/cms/templates/group_configurations.html b/cms/templates/group_configurations.html
@@ -86,7 +86,7 @@ <h3 class="title-3">${_("Enrollment Track Groups")}</h3>
             <p>${_("Enrollment track groups allow you to offer different course content to learners in each enrollment track. Learners enrolled in each enrollment track in your course are automatically included in the corresponding enrollment track group.")}</p>
             <p>${_("On unit pages in the course outline, you can restrict access to components to learners based on their enrollment track.")}</p>
             <p>${_("You cannot edit enrollment track groups, but you can expand each group to view details of the course content that is designated for learners in the group.")}</p>
-            <p><a href="${get_online_help_info(enrollment_track_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn More")}</a></p>
+            <p><a href="${get_online_help_info(enrollment_track_help_token())['doc_url']} rel="noopener" target="_blank" class="button external-help-button">${_("Learn More")}</a></p>
           </div>
         </div>
       % endif
@@ -96,7 +96,7 @@ <h3 class="title-3">${_("Content Groups")}</h3>
               <p>${_("If you have cohorts enabled in your course, you can use content groups to create cohort-specific courseware. In other words, you can customize the content that particular cohorts see in your course.")}</p>
               <p>${_("Each content group that you create can be associated with one or more cohorts. In addition to making course content available to all learners, you can restrict access to some content to learners in specific content groups. Only learners in the cohorts that are associated with the specified content groups see the additional content.")}</p>
               <p>${Text(_("Click {em_start}New content group{em_end} to add a new content group. To edit the name of a content group, hover over its box and click {em_start}Edit{em_end}. You can delete a content group only if it is not in use by a unit. To delete a content group, hover over its box and click the delete icon.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
-              <p><a href="${get_online_help_info(content_groups_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn More")}</a></p>
+              <p><a href="${get_online_help_info(content_groups_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn More")}</a></p>
           </div>
         </div>
       % if should_show_experiment_groups:
@@ -105,7 +105,7 @@ <h3 class="title-3">${_("Content Groups")}</h3>
             <h3 class="title-3">${_("Experiment Group Configurations")}</h3>
             <p>${_("Use experiment group configurations if you are conducting content experiments, also known as A/B testing, in your course. Experiment group configurations define how many groups of learners are in a content experiment. When you create a content experiment for a course, you select the group configuration to use.")}</p>
             <p>${Text(_("Click {em_start}New Group Configuration{em_end} to add a new configuration. To edit a configuration, hover over its box and click {em_start}Edit{em_end}. You can delete a group configuration only if it is not in use in an experiment. To delete a configuration, hover over its box and click the delete icon.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
-            <p><a href="${get_online_help_info(experiment_group_configurations_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn More")}</a></p>
+            <p><a href="${get_online_help_info(experiment_group_configurations_help_token())['doc_url']}" rel="noopener"  target="_blank" class="button external-help-button">${_("Learn More")}</a></p>
           </div>
         </div>
       % endif

diff --git a/cms/templates/import.html b/cms/templates/import.html
@@ -213,7 +213,7 @@ <h3 class="title-3">${_("Note: Library content is not automatically updated in c
           <p>${_("If you change and import a library that is referenced by randomized content blocks in one or more courses, those courses do not automatically use the updated content. You must manually refresh the randomized content blocks to bring them up to date with the latest library content.")}</p>
       </div>
       <div class="bit external-help">
-          <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about importing a library")}</a>
+          <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about importing a library")}</a>
       </div>
     </aside>
   %else:
@@ -245,7 +245,7 @@ <h3 class="title-3">${_("Warning: Importing while a course is running")}</h3>
         <p>${_("If you perform an import while your course is running, and you change the URL names (or url_name nodes) of any Problem components, the student data associated with those Problem components may be lost. This data includes students' problem scores.")}</p>
       </div>
       <div class="bit external-help">
-          <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about importing a course")}</a>
+          <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about importing a course")}</a>
       </div>
     </aside>
   %endif

diff --git a/cms/templates/index.html b/cms/templates/index.html
@@ -519,7 +519,7 @@ <h3 class="title title-3">${_('New to {studio_name}?').format(studio_name=settin
         <ol class="list-actions">
           <li class="action-item">
 
-            <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank">${_("Getting Started with {studio_name}").format(studio_name=settings.STUDIO_NAME)}</a>
+            <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank">${_("Getting Started with {studio_name}").format(studio_name=settings.STUDIO_NAME)}</a>
           </li>
         </ol>
       </div>

diff --git a/cms/templates/js/add-xblock-component-support-legend.underscore b/cms/templates/js/add-xblock-component-support-legend.underscore
@@ -1,7 +1,7 @@
 <% if (support_legend.show_legend) { %>
     <span class="support-documentation">
         <a class="support-documentation-link"
-           href="https://edx.readthedocs.io/projects/edx-partner-course-staff/en/latest/exercises_tools/create_exercises_and_tools.html#levels-of-support-for-tools" target="_blank">
+           href="https://edx.readthedocs.io/projects/edx-partner-course-staff/en/latest/exercises_tools/create_exercises_and_tools.html#levels-of-support-for-tools" rel="noopener" target="_blank">
             <%- support_legend.documentation_label %>
         </a>
         <span class="support-documentation-level">

diff --git a/cms/templates/js/course-highlights-enable.underscore b/cms/templates/js/course-highlights-enable.underscore
@@ -8,5 +8,5 @@
 <% } else { %>
   <button class="status-highlights-enabled-value button" aria-labelledby="highlights-enabled-label"><%- gettext('Enable Now') %></button>
 <% } %>
-<a class="status-highlights-enabled-info" href="<%- highlights_doc_url %>" target="_blank">Learn more</a>
+<a class="status-highlights-enabled-info" href="<%- highlights_doc_url %>" rel="noopener" target="_blank">Learn more</a>
 </div>
diff --git a/cms/templates/js/highlights-enable-editor.underscore b/cms/templates/js/highlights-enable-editor.underscore
@@ -15,7 +15,7 @@
     ),
     {
         linkStart: edx.HtmlUtils.interpolateHtml(
-            edx.HtmlUtils.HTML('<a href="{highlightsDocUrl}" target="_blank">'),
+            edx.HtmlUtils.HTML('<a href="{highlightsDocUrl}" rel="noopener" target="_blank">'),
             {highlightsDocUrl: xblockInfo.attributes.highlights_doc_url}
         ),
         linkEnd: edx.HtmlUtils.HTML('</a>')

diff --git a/cms/templates/js/license-selector.underscore b/cms/templates/js/license-selector.underscore
@@ -3,7 +3,7 @@
         <%- gettext("License Type") %>
     </h3>
     <ul class="license-types">
-        <% var link_start_tpl = '<a href="{url}" target="_blank">'; %>
+        <% var link_start_tpl = '<a href="{url}" rel="noopener" target="_blank">'; %>
         <% _.each(licenseInfo, function(license, licenseType) { %>
             <li class="license-type" data-license="<%- licenseType %>">
                 <button name="license-<%- licenseType %>"

diff --git a/cms/templates/library.html b/cms/templates/library.html
@@ -98,7 +98,7 @@ <h3 class="title-3">${_("Using library content in courses")}</h3>
                 </div>
                 % endif
                 <div class="bit external-help">
-                    <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about content libraries")}</a>
+                    <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about content libraries")}</a>
                 </div>
             </div>
         </div>

diff --git a/cms/templates/textbooks.html b/cms/templates/textbooks.html
@@ -67,7 +67,7 @@ <h3 class="title-3">${_("What if my book isn't divided into chapters?")}</h3>
         </div>
 
         <div class="bit external-help">
-          <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about textbooks")}</a>
+          <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about textbooks")}</a>
         </div>
       </aside>
     </section>

diff --git a/cms/templates/ux/reference/fragments/course-settings.html b/cms/templates/ux/reference/fragments/course-settings.html
@@ -41,7 +41,7 @@ <h2 class="title-2">Basic Information</h2>
             <h3 class="title">Course Summary Page <span class="tip">(for student enrollment and access)</span></h3>
             <div class="copy">
 
-              <p><a class="link-courseURL" rel="external" href="http://localhost:8000/courses/course-v1:AndyA+AA101+1/about" title="This link will open in a new browser window/tab" target="_blank">http://localhost:8000/courses/course-v1:AndyA+AA101+1/about</a></p>
+              <p><a class="link-courseURL" rel="external" href="http://localhost:8000/courses/course-v1:AndyA+AA101+1/about" title="This link will open in a new browser window/tab" rel="noopener" target="_blank">http://localhost:8000/courses/course-v1:AndyA+AA101+1/about</a></p>
             </div>
 
             <ul class="list-actions">
@@ -351,7 +351,7 @@ <h2 class="title-2">Introducing Your Course</h2>
                   <label class="sr" for="course-overview-cm-textarea">
                     HTML Code Editor
                   </label>
-                  <span class="tip tip-stacked">Introductions, prerequisites, FAQs that are used on <a class="link-courseURL" rel="external" href="http://localhost:8000/courses/course-v1:AndyA+AA101+1/about" title="This link will open in a new browser window/tab" target="_blank">your course summary page</a> (formatted in HTML)</span>
+                  <span class="tip tip-stacked">Introductions, prerequisites, FAQs that are used on <a class="link-courseURL" rel="external" href="http://localhost:8000/courses/course-v1:AndyA+AA101+1/about" title="This link will open in a new browser window/tab" rel="noopener" target="_blank">your course summary page</a> (formatted in HTML)</span>
                 </li>
 
                 <li class="field image" id="field-course-image">
@@ -465,7 +465,7 @@ <h3 class="label setting-label">
                 </button>
                 <p class="tip">
 
-                        <a href="https://creativecommons.org/about" target="_blank">
+                        <a href="https://creativecommons.org/about" rel="noopener" target="_blank">
                             Learn more about Creative Commons
                         </a>
 

diff --git a/cms/templates/widgets/header.html b/cms/templates/widgets/header.html
@@ -220,7 +220,7 @@ <h3 class="title"><span class="label">${_("Tools")}</span> <span class="icon fa
         <h2 class="sr-only">${_("Account Navigation")}</h2>
         <ol>
           <li class="nav-item nav-account-help">
-            <h3 class="title"><span class="label"><a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_('Contextual Online Help')}" target="_blank">${_("Help")}</a></span></h3>
+            <h3 class="title"><span class="label"><a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_('Contextual Online Help')}" rel="noopener" target="_blank">${_("Help")}</a></span></h3>
           </li>
           <li class="nav-item nav-account-user">
             <%include file="user_dropdown.html" args="online_help_token=online_help_token" />
@@ -236,7 +236,7 @@ <h3 class="title"><span class="label"><a href="${get_online_help_info(online_hel
         <h2 class="sr-only">${_("Account Navigation")}</h2>
         <ol>
           <li class="nav-item nav-not-signedin-help">
-            <a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_('Contextual Online Help')}" target="_blank">${_("Help")}</a>
+            <a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_('Contextual Online Help')}" rel="noopener" target="_blank">${_("Help")}</a>
           </li>
           % if static.get_value('ALLOW_PUBLIC_ACCOUNT_CREATION', settings.FEATURES.get('ALLOW_PUBLIC_ACCOUNT_CREATION')):
               <li class="nav-item nav-not-signedin-signup">

diff --git a/common/lib/xmodule/xmodule/lti_module.py b/common/lib/xmodule/xmodule/lti_module.py
@@ -85,7 +85,7 @@
 log = logging.getLogger(__name__)
 
 DOCS_ANCHOR_TAG_OPEN = (
-    "<a target='_blank' "
+    "<a rel='noopener' target='_blank' "
     "href='https://edx.readthedocs.io/projects/edx-partner-course-staff/en/latest/exercises_tools/lti_component.html'>"
 )
 BREAK_TAG = '<br />'