Skip to content

Commit

Permalink
manage more case for security warnings on anchorr (aplocks, false pos…
Browse files Browse the repository at this point in the history 
…itive ...)
  • Loading branch information
@jleveugle
jleveugle committed Jul 30, 2021
1 parent 93887f2 commit d3db369
Show file tree
Hide file tree
Showing 5 changed files with 215 additions and 3 deletions.
2 changes: 1 addition & 1 deletion src/compiler/compile/nodes/Element.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -399,7 +399,7 @@ export default class Element extends Node {
if (target_attribute && target_attribute.get_static_value() === '_blank' && href_attribute) {
const href_static_value = href_attribute.get_static_value() ? href_attribute.get_static_value().toLowerCase() : null;

if (href_static_value === null || href_static_value.startsWith('http') || href_static_value.startsWith('//')) {
if (href_static_value === null || href_static_value.match(/^(https?:)?\/\//i)) {
const rel = attribute_map.get('rel');
const rel_values = rel ? rel.get_static_value().split(' ') : [];
const expected_values = ['noopener', 'noreferrer'];
Expand Down
16 changes: 16 additions & 0 deletions test/validator/samples/security-anchor-rel-noopener/input.svelte
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,16 @@
<a href="http://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
<a href="http://svelte.dev" target="_blank" rel="noreferrer">svelte website (invalid)</a>
<!-- svelte-ignore security-anchor-rel-noreferrer -->
<a href="HTTP://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
<a href="HTTP://svelte.dev" target="_blank" rel="noreferrer">svelte website (invalid)</a>
<!-- svelte-ignore security-anchor-rel-noreferrer -->
<a href="HTTPS://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer">svelte website (invalid)</a>
<!-- svelte-ignore security-anchor-rel-noreferrer -->
<a href="HTTP://svelte.dev" target="_blank">svelte website (invalid)</a>
<!-- svelte-ignore security-anchor-rel-noreferrer -->
<a href="HTTPS://svelte.dev" target="_blank">svelte website (invalid)</a>
<!-- svelte-ignore security-anchor-rel-noreferrer -->
<a href="same-host" target="_blank">Same host (valid)</a>
<!-- svelte-ignore security-anchor-rel-noreferrer -->
<a href="same-host" target="_blank" rel="">Same host (valid)</a>
Expand All @@ -30,5 +40,11 @@
<a href="https://svelte.dev" target="_blank" rel="noopener">svelte website (valid)</a>
<a href="https://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<!-- svelte-ignore security-anchor-rel-noreferrer -->
<a href="HTTP://svelte.dev" target="_blank" rel="noopener">svelte website (valid)</a>
<a href="HTTP://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<!-- svelte-ignore security-anchor-rel-noreferrer -->
<a href="HTTPS://svelte.dev" target="_blank" rel="noopener">svelte website (valid)</a>
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<!-- svelte-ignore security-anchor-rel-noreferrer -->
<a href="//svelte.dev" target="_blank" rel="noopener">svelte website (valid)</a>
<a href="//svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
92 changes: 91 additions & 1 deletion test/validator/samples/security-anchor-rel-noopener/warnings.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,5 +178,95 @@
"column": 0,
"line": 20
}
}
},
{
"code": "security-anchor-rel-noopener",
"end": {
"character": 1534,
"column": 79,
"line": 22
},
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
"pos": 1455,
"start": {
"character": 1455,
"column": 0,
"line": 22
}
},
{
"code": "security-anchor-rel-noopener",
"end": {
"character": 1624,
"column": 89,
"line": 23
},
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
"pos": 1535,
"start": {
"character": 1535,
"column": 0,
"line": 23
}
},
{
"code": "security-anchor-rel-noopener",
"end": {
"character": 1759,
"column": 80,
"line": 25
},
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
"pos": 1679,
"start": {
"character": 1679,
"column": 0,
"line": 25
}
},
{
"code": "security-anchor-rel-noopener",
"end": {
"character": 1850,
"column": 90,
"line": 26
},
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
"pos": 1760,
"start": {
"character": 1760,
"column": 0,
"line": 26
}
},
{
"code": "security-anchor-rel-noopener",
"end": {
"character": 1977,
"column": 72,
"line": 28
},
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
"pos": 1905,
"start": {
"character": 1905,
"column": 0,
"line": 28
}
},
{
"code": "security-anchor-rel-noopener",
"end": {
"character": 2105,
"column": 73,
"line": 30
},
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
"pos": 2032,
"start": {
"character": 2032,
"column": 0,
"line": 30
}
}
]
16 changes: 16 additions & 0 deletions test/validator/samples/security-anchor-rel-noreferrer/input.svelte
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,16 @@
<a href="http://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
<a href="http://svelte.dev" target="_blank" rel="noopener">svelte website (invalid)</a>
<!-- svelte-ignore security-anchor-rel-noopener -->
<a href="HTTP://svelte.dev" target="_blank">svelte website (invalid)</a>
<!-- svelte-ignore security-anchor-rel-noopener -->
<a href="HTTP://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
<a href="HTTP://svelte.dev" target="_blank" rel="noopener">svelte website (invalid)</a>
<!-- svelte-ignore security-anchor-rel-noopener -->
<a href={'HTTPS://svelte.dev'} target="_blank">svelte website (invalid)</a>
<!-- svelte-ignore security-anchor-rel-noopener -->
<a href={'HTTPS://svelte.dev'} target="_blank" rel="">svelte website (invalid)</a>
<a href={'HTTPS://svelte.dev'} target="_blank" rel="noopener">svelte website (invalid)</a>
<!-- svelte-ignore security-anchor-rel-noopener -->
<a href="same-host" target="_blank">Same host (valid)</a>
<!-- svelte-ignore security-anchor-rel-noopener -->
<a href="same-host" target="_blank" rel="">Same host (valid)</a>
Expand All @@ -27,8 +37,14 @@
<a href="http://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
<a href="http://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<!-- svelte-ignore security-anchor-rel-noopener -->
<a href="HTTP://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
<a href="HTTP://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<!-- svelte-ignore security-anchor-rel-noopener -->
<a href="https://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
<a href="https://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<!-- svelte-ignore security-anchor-rel-noopener -->
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<!-- svelte-ignore security-anchor-rel-noopener -->
<a href="//svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
<a href="//svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
92 changes: 91 additions & 1 deletion test/validator/samples/security-anchor-rel-noreferrer/warnings.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,5 +178,95 @@
"column": 0,
"line": 20
}
}
},
{
"code": "security-anchor-rel-noreferrer",
"end": {
"character": 1501,
"column": 72,
"line": 22
},
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
"pos": 1429,
"start": {
"character": 1429,
"column": 0,
"line": 22
}
},
{
"code": "security-anchor-rel-noreferrer",
"end": {
"character": 1633,
"column": 79,
"line": 24
},
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
"pos": 1554,
"start": {
"character": 1554,
"column": 0,
"line": 24
}
},
{
"code": "security-anchor-rel-noreferrer",
"end": {
"character": 1721,
"column": 87,
"line": 25
},
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
"pos": 1634,
"start": {
"character": 1634,
"column": 0,
"line": 25
}
},
{
"code": "security-anchor-rel-noreferrer",
"end": {
"character": 1849,
"column": 75,
"line": 27
},
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
"pos": 1774,
"start": {
"character": 1774,
"column": 0,
"line": 27
}
},
{
"code": "security-anchor-rel-noreferrer",
"end": {
"character": 1984,
"column": 82,
"line": 29
},
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
"pos": 1902,
"start": {
"character": 1902,
"column": 0,
"line": 29
}
},
{
"code": "security-anchor-rel-noreferrer",
"end": {
"character": 2075,
"column": 90,
"line": 30
},
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
"pos": 1985,
"start": {
"character": 1985,
"column": 0,
"line": 30
}
}
]

0 comments on commit d3db369

Please sign in to comment.