From db34b59238846e5ec046a456b4f76649321571d1 Mon Sep 17 00:00:00 2001 From: Markus Staab Date: Thu, 19 Oct 2017 12:16:04 +0200 Subject: [PATCH] Prevent XSS in links which open a new browser window --- .../templates/settings-admin.php | 2 +- .../templates/settings-personal.php | 4 ++-- apps/files/templates/appnavigation.php | 2 +- apps/theming/lib/ThemingDefaults.php | 2 +- apps/theming/tests/ThemingDefaultsTest.php | 4 ++-- .../templates/part.settingcontrols.php | 2 +- .../templates/part.wizardcontrols.php | 2 +- apps/workflowengine/templates/admin.php | 2 +- core/js/setupchecks.js | 18 +++++++-------- core/js/tests/specs/setupchecksSpec.js | 22 +++++++++---------- core/templates/installation.php | 6 ++--- core/templates/layout.noscript.warning.php | 2 +- core/templates/update.use-cli.php | 2 +- lib/private/Installer.php | 2 +- lib/private/legacy/defaults.php | 2 +- settings/templates/apps.php | 18 +++++++-------- settings/templates/help.php | 8 +++---- .../templates/settings.development.notice.php | 6 ++--- .../settings/admin/additional-mail.php | 2 +- .../templates/settings/admin/encryption.php | 2 +- settings/templates/settings/admin/server.php | 10 ++++----- settings/templates/settings/admin/sharing.php | 2 +- .../templates/settings/admin/tipstricks.php | 16 +++++++------- .../settings/personal/personal.info.php | 2 +- 24 files changed, 70 insertions(+), 70 deletions(-) diff --git a/apps/federatedfilesharing/templates/settings-admin.php b/apps/federatedfilesharing/templates/settings-admin.php index 7fe1b5f62e..8d04169ea8 100644 --- a/apps/federatedfilesharing/templates/settings-admin.php +++ b/apps/federatedfilesharing/templates/settings-admin.php @@ -8,7 +8,7 @@ script('federatedfilesharing', 'settings-admin');

t('Federated Cloud Sharing'));?>

-

t('Adjust how people can share between servers.')); ?>

diff --git a/apps/federatedfilesharing/templates/settings-personal.php b/apps/federatedfilesharing/templates/settings-personal.php index 26365d2b70..89f7b1eb1e 100644 --- a/apps/federatedfilesharing/templates/settings-personal.php +++ b/apps/federatedfilesharing/templates/settings-personal.php @@ -43,7 +43,7 @@ style('federatedfilesharing', 'settings-personal'); - t('Use this address to access your Files via WebDAV', array(link_to_docs('user-webdav'))));?> + t('Use this address to access your Files via WebDAV', array(link_to_docs('user-webdav'))));?>
diff --git a/apps/theming/lib/ThemingDefaults.php b/apps/theming/lib/ThemingDefaults.php index 6ee546d263..97e889a214 100644 --- a/apps/theming/lib/ThemingDefaults.php +++ b/apps/theming/lib/ThemingDefaults.php @@ -134,7 +134,7 @@ class ThemingDefaults extends \OC_Defaults { public function getShortFooter() { $slogan = $this->getSlogan(); $footer = '' .$this->getEntity() . ''. + ' rel="noreferrer noopener">' .$this->getEntity() . ''. ($slogan !== '' ? ' – ' . $slogan : ''); return $footer; diff --git a/apps/theming/tests/ThemingDefaultsTest.php b/apps/theming/tests/ThemingDefaultsTest.php index abd85a612c..6fbf3a2529 100644 --- a/apps/theming/tests/ThemingDefaultsTest.php +++ b/apps/theming/tests/ThemingDefaultsTest.php @@ -217,7 +217,7 @@ class ThemingDefaultsTest extends TestCase { ['theming', 'slogan', $this->defaults->getSlogan(), 'Slogan'], ]); - $this->assertEquals('Name – Slogan', $this->template->getShortFooter()); + $this->assertEquals('Name – Slogan', $this->template->getShortFooter()); } public function testGetShortFooterEmptySlogan() { @@ -230,7 +230,7 @@ class ThemingDefaultsTest extends TestCase { ['theming', 'slogan', $this->defaults->getSlogan(), ''], ]); - $this->assertEquals('Name', $this->template->getShortFooter()); + $this->assertEquals('Name', $this->template->getShortFooter()); } public function testgetColorPrimaryWithDefault() { diff --git a/apps/user_ldap/templates/part.settingcontrols.php b/apps/user_ldap/templates/part.settingcontrols.php index 3f7a53dd4d..a418885f47 100644 --- a/apps/user_ldap/templates/part.settingcontrols.php +++ b/apps/user_ldap/templates/part.settingcontrols.php @@ -3,7 +3,7 @@ t('Test Configuration'));?> + target="_blank" rel="noreferrer noopener"> t('Help'));?> diff --git a/apps/user_ldap/templates/part.wizardcontrols.php b/apps/user_ldap/templates/part.wizardcontrols.php index 2df1fd8d83..89eb96827e 100644 --- a/apps/user_ldap/templates/part.wizardcontrols.php +++ b/apps/user_ldap/templates/part.wizardcontrols.php @@ -9,7 +9,7 @@ t('Continue'));?> + target="_blank" rel="noreferrer noopener"> t('Help'));?> diff --git a/apps/workflowengine/templates/admin.php b/apps/workflowengine/templates/admin.php index 4f4dab4043..e9873f8f28 100644 --- a/apps/workflowengine/templates/admin.php +++ b/apps/workflowengine/templates/admin.php @@ -25,7 +25,7 @@

-
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 5e8ef9e696..99e3c72d2d 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -66,7 +66,7 @@ if (xhr.status !== 207) { var docUrl = placeholderUrl.replace('PLACEHOLDER', 'admin-setup-well-known-URL'); messages.push({ - msg: t('core', 'Your web server is not set up properly to resolve "{url}". Further information can be found in our documentation.', { docLink: docUrl, url: url }), + msg: t('core', 'Your web server is not set up properly to resolve "{url}". Further information can be found in our documentation.', { docLink: docUrl, url: url }), type: OC.SetupChecks.MESSAGE_TYPE_INFO }); } @@ -100,13 +100,13 @@ } if(!data.isMemcacheConfigured) { messages.push({ - msg: t('core', 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.', {docLink: data.memcacheDocs}), + msg: t('core', 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.', {docLink: data.memcacheDocs}), type: OC.SetupChecks.MESSAGE_TYPE_INFO }); } if(!data.isUrandomAvailable) { messages.push({ - msg: t('core', '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our documentation.', {docLink: data.securityDocs}), + msg: t('core', '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our documentation.', {docLink: data.securityDocs}), type: OC.SetupChecks.MESSAGE_TYPE_WARNING }); } @@ -118,19 +118,19 @@ } if(data.phpSupported && data.phpSupported.eol) { messages.push({ - msg: t('core', 'You are currently running PHP {version}. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by the PHP Group as soon as your distribution supports it.', {version: data.phpSupported.version, phpLink: 'https://secure.php.net/supported-versions.php'}), + msg: t('core', 'You are currently running PHP {version}. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by the PHP Group as soon as your distribution supports it.', {version: data.phpSupported.version, phpLink: 'https://secure.php.net/supported-versions.php'}), type: OC.SetupChecks.MESSAGE_TYPE_INFO }); } if(!data.forwardedForHeadersWorking) { messages.push({ - msg: t('core', 'The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud. Further information can be found in our documentation.', {docLink: data.reverseProxyDocs}), + msg: t('core', 'The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud. Further information can be found in our documentation.', {docLink: data.reverseProxyDocs}), type: OC.SetupChecks.MESSAGE_TYPE_WARNING }); } if(!data.isCorrectMemcachedPHPModuleInstalled) { messages.push({ - msg: t('core', 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the memcached wiki about both modules.', {wikiLink: 'https://code.google.com/p/memcached/wiki/PHPClientComparison'}), + msg: t('core', 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the memcached wiki about both modules.', {wikiLink: 'https://code.google.com/p/memcached/wiki/PHPClientComparison'}), type: OC.SetupChecks.MESSAGE_TYPE_WARNING }); } @@ -138,7 +138,7 @@ messages.push({ msg: t( 'core', - 'Some files have not passed the integrity check. Further information on how to resolve this issue can be found in our documentation. (List of invalid files… / Rescan…)', + 'Some files have not passed the integrity check. Further information on how to resolve this issue can be found in our documentation. (List of invalid files… / Rescan…)', { docLink: data.codeIntegrityCheckerDocumentation, codeIntegrityDownloadEndpoint: OC.generateUrl('/settings/integrity/failed'), @@ -152,7 +152,7 @@ messages.push({ msg: t( 'core', - 'The PHP OPcache is not properly configured. For better performance we recommend to use following settings in the php.ini:', + 'The PHP OPcache is not properly configured. For better performance we recommend to use following settings in the php.ini:', { docLink: data.phpOpcacheDocumentation, } @@ -300,7 +300,7 @@ var minimumSeconds = 15552000; if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) { messages.push({ - msg: t('core', 'The "Strict-Transport-Security" HTTP header is not configured to at least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', {'seconds': minimumSeconds, docUrl: tipsUrl}), + msg: t('core', 'The "Strict-Transport-Security" HTTP header is not configured to at least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', {'seconds': minimumSeconds, docUrl: tipsUrl}), type: OC.SetupChecks.MESSAGE_TYPE_WARNING }); } diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 35279f3501..3df676099b 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -68,7 +68,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'Your web server is not set up properly to resolve "/.well-known/caldav/". Further information can be found in our documentation.', + msg: 'Your web server is not set up properly to resolve "/.well-known/caldav/". Further information can be found in our documentation.', type: OC.SetupChecks.MESSAGE_TYPE_INFO }]); done(); @@ -166,7 +166,7 @@ describe('OC.SetupChecks tests', function() { msg: 'This server has no working Internet connection: Multiple endpoints could not be reached. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. We suggest to enable Internet connection for this server if you want to have all features.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }, { - msg: 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.', + msg: 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.', type: OC.SetupChecks.MESSAGE_TYPE_INFO }]); done(); @@ -200,7 +200,7 @@ describe('OC.SetupChecks tests', function() { type: OC.SetupChecks.MESSAGE_TYPE_WARNING }, { - msg: 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.', + msg: 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our documentation.', type: OC.SetupChecks.MESSAGE_TYPE_INFO }]); done(); @@ -261,7 +261,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our documentation.', + msg: '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our documentation.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }]); done(); @@ -291,7 +291,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the memcached wiki about both modules.', + msg: 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the memcached wiki about both modules.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }]); done(); @@ -321,7 +321,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud. Further information can be found in our documentation.', + msg: 'The reverse proxy headers configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If you are not accessing Nextcloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to Nextcloud. Further information can be found in our documentation.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }]); done(); @@ -402,7 +402,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'You are currently running PHP 5.4.0. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by the PHP Group as soon as your distribution supports it.', + msg: 'You are currently running PHP 5.4.0. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by the PHP Group as soon as your distribution supports it.', type: OC.SetupChecks.MESSAGE_TYPE_INFO }]); done(); @@ -433,7 +433,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'The PHP OPcache is not properly configured. For better performance we recommend to use following settings in the php.ini:' + "
opcache.enable=1\nopcache.enable_cli=1\nopcache.interned_strings_buffer=8\nopcache.max_accelerated_files=10000\nopcache.memory_consumption=128\nopcache.save_comments=1\nopcache.revalidate_freq=1
", + msg: 'The PHP OPcache is not properly configured. For better performance we recommend to use following settings in the php.ini:' + "
opcache.enable=1\nopcache.enable_cli=1\nopcache.interned_strings_buffer=8\nopcache.max_accelerated_files=10000\nopcache.memory_consumption=128\nopcache.save_comments=1\nopcache.revalidate_freq=1
", type: OC.SetupChecks.MESSAGE_TYPE_INFO }]); done(); @@ -617,7 +617,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', + msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }]); done(); @@ -642,7 +642,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', + msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }]); done(); @@ -667,7 +667,7 @@ describe('OC.SetupChecks tests', function() { async.done(function( data, s, x ){ expect(data).toEqual([{ - msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', + msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', type: OC.SetupChecks.MESSAGE_TYPE_WARNING }]); done(); diff --git a/core/templates/installation.php b/core/templates/installation.php index 6a0e3f9385..0d274f0f88 100644 --- a/core/templates/installation.php +++ b/core/templates/installation.php @@ -30,7 +30,7 @@ script('core', [ t('Security warning'));?>

t('Your data directory and files are probably accessible from the internet because the .htaccess file does not work.'));?>
t( - 'For information how to properly configure your server, please see the documentation.', + 'For information how to properly configure your server, please see the documentation.', link_to_docs('admin-install') )); ?>

@@ -84,7 +84,7 @@ script('core', [

t( 'Only %s is available.', array($label) )); ?> t( 'Install and activate additional PHP modules to choose other database types.' )); ?>
- + t( 'For more details check out the documentation.' )); ?> ↗

@@ -166,6 +166,6 @@ script('core', [

t('Need help?'));?> - t('See the documentation'));?> ↗ + t('See the documentation'));?> ↗

diff --git a/core/templates/layout.noscript.warning.php b/core/templates/layout.noscript.warning.php index c7776bd33c..7d7a32bfbf 100644 --- a/core/templates/layout.noscript.warning.php +++ b/core/templates/layout.noscript.warning.php @@ -3,7 +3,7 @@
', ''], + ['', ''], $l->t('This application requires JavaScript for correct operation. Please {linkstart}enable JavaScript{linkend} and reload the page.') )); ?>
diff --git a/core/templates/update.use-cli.php b/core/templates/update.use-cli.php index d30e15c857..06d7e28490 100644 --- a/core/templates/update.use-cli.php +++ b/core/templates/update.use-cli.php @@ -8,7 +8,7 @@ p($l->t('Please use the command line updater because automatic updating is disabled in the config.php.')); } ?>

t('For help, see the documentation.', [link_to_docs('admin-cli-upgrade')])); ?>

+ print_unescaped($l->t('For help, see the documentation.', [link_to_docs('admin-cli-upgrade')])); ?>

diff --git a/lib/private/Installer.php b/lib/private/Installer.php index d5082a7fad..0f7217e081 100644 --- a/lib/private/Installer.php +++ b/lib/private/Installer.php @@ -548,7 +548,7 @@ class Installer { } catch (TableExistsException $e) { throw new HintException( 'Failed to enable app ' . $app, - 'Please ask for help via one of our support channels.', + 'Please ask for help via one of our support channels.', 0, $e ); } diff --git a/lib/private/legacy/defaults.php b/lib/private/legacy/defaults.php index adfbe71377..d2f639959c 100644 --- a/lib/private/legacy/defaults.php +++ b/lib/private/legacy/defaults.php @@ -235,7 +235,7 @@ class OC_Defaults { $footer = $this->theme->getShortFooter(); } else { $footer = '' .$this->getEntity() . ''. + ' rel="noreferrer noopener">' .$this->getEntity() . ''. ' – ' . $this->getSlogan(); } diff --git a/settings/templates/apps.php b/settings/templates/apps.php index 91a73fcbe5..f609adb03b 100644 --- a/settings/templates/apps.php +++ b/settings/templates/apps.php @@ -24,7 +24,7 @@ script(
  • - t('Developer documentation'));?> ↗ + t('Developer documentation'));?> ↗
  • @@ -44,7 +44,7 @@ script(
    {{#if detailpage}} - {{name}} + {{name}} {{else}} {{name}} {{/if}} @@ -90,7 +90,7 @@ script( {{/if}}

    {{#if detailpage}} - {{name}} + {{name}} {{else}} {{name}} {{/if}} @@ -105,7 +105,7 @@ script(