Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Pervent reverse tabnabbing in edx platform

Browse Source
This commit is contained in:
Awais Jibran
2019-08-22 16:37:44 +05:00
parent 1c4f9da92d
commit 1a4eb7d2e8
61 changed files with 120 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
openedx/core/djangoapps/api_admin/widgets.py
View File

@@ -34,7 +34,9 @@ class TermsOfServiceCheckboxInput(CheckboxInput):
u'I, and my organization, accept the {link_start}{platform_name} API Terms of Service{link_end}.'
)).format(
platform_name=configuration_helpers.get_value('PLATFORM_NAME', settings.PLATFORM_NAME),
link_start=HTML(u'<a href="{url}" target="_blank">').format(url=reverse('api_admin:api-tos')),
link_start=HTML(u'<a href="{url}" rel="noopener" target="_blank">').format(
url=reverse('api_admin:api-tos')
),
link_end=HTML('</a>'),
)

16
openedx/core/djangoapps/user_api/api.py
View File

@@ -806,7 +806,9 @@ class RegistrationFormFactory(object):
)).format(
platform_name=configuration_helpers.get_value("PLATFORM_NAME", settings.PLATFORM_NAME),
terms_of_service=terms_label,
terms_of_service_link_start=HTML(u"<a href='{terms_link}' target='_blank'>").format(terms_link=terms_link),
terms_of_service_link_start=HTML(u"<a href='{terms_link}' rel='noopener' target='_blank'>").format(
terms_link=terms_link
),
terms_of_service_link_end=HTML("</a>"),
)
@@ -832,9 +834,13 @@ class RegistrationFormFactory(object):
)).format(
platform_name=configuration_helpers.get_value("PLATFORM_NAME", settings.PLATFORM_NAME),
terms_of_service=terms_label,
terms_of_service_link_start=HTML(u"<a href='{terms_url}' target='_blank'>").format(terms_url=terms_link),
terms_of_service_link_start=HTML(u"<a href='{terms_url}' rel='noopener' target='_blank'>").format(
terms_url=terms_link
),
terms_of_service_link_end=HTML("</a>"),
privacy_policy_link_start=HTML(u"<a href='{pp_url}' target='_blank'>").format(pp_url=pp_link),
privacy_policy_link_start=HTML(u"<a href='{pp_url}' rel='noopener' target='_blank'>").format(
pp_url=pp_link
),
privacy_policy_link_end=HTML("</a>"),
)
@@ -866,7 +872,9 @@ class RegistrationFormFactory(object):
label = Text(_(u"I agree to the {platform_name} {tos_link_start}{terms_of_service}{tos_link_end}")).format(
platform_name=configuration_helpers.get_value("PLATFORM_NAME", settings.PLATFORM_NAME),
terms_of_service=terms_label,
tos_link_start=HTML(u"<a href='{terms_link}' target='_blank'>").format(terms_link=terms_link),
tos_link_start=HTML(u"<a href='{terms_link}' rel='noopener' target='_blank'>").format(
terms_link=terms_link
),
tos_link_end=HTML("</a>"),
)

14
openedx/core/djangoapps/user_api/tests/test_views.py
View File

@@ -1097,7 +1097,7 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, UserAPITestCase):
"default": False
}
]
link_template = u"<a href='/honor' target='_blank'>{link_label}</a>"
link_template = u"<a href='/honor' rel='noopener' target='_blank'>{link_label}</a>"
def setUp(self):
super(RegistrationViewTest, self).setUp()
@@ -1668,8 +1668,8 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, UserAPITestCase):
)
@mock.patch.dict(settings.FEATURES, {"ENABLE_MKTG_SITE": True})
def test_registration_honor_code_mktg_site_enabled(self):
link_template = "<a href='https://www.test.com/honor' target='_blank'>{link_label}</a>"
link_template2 = u"<a href='#' target='_blank'>{link_label}</a>"
link_template = "<a href='https://www.test.com/honor' rel='noopener' target='_blank'>{link_label}</a>"
link_template2 = u"<a href='#' rel='noopener' target='_blank'>{link_label}</a>"
link_label = "Terms of Service and Honor Code"
link_label2 = "Privacy Policy"
self._assert_reg_field(
@@ -1701,7 +1701,7 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, UserAPITestCase):
@override_settings(MKTG_URLS_LINK_MAP={"HONOR": "honor"})
@mock.patch.dict(settings.FEATURES, {"ENABLE_MKTG_SITE": False})
def test_registration_honor_code_mktg_site_disabled(self):
link_template = "<a href='/privacy' target='_blank'>{link_label}</a>"
link_template = "<a href='/privacy' rel='noopener' target='_blank'>{link_label}</a>"
link_label = "Terms of Service and Honor Code"
link_label2 = "Privacy Policy"
self._assert_reg_field(
@@ -1740,7 +1740,7 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, UserAPITestCase):
# Honor code field should say ONLY honor code,
# not "terms of service and honor code"
link_label = 'Honor Code'
link_template = u"<a href='https://www.test.com/honor' target='_blank'>{link_label}</a>"
link_template = u"<a href='https://www.test.com/honor' rel='noopener' target='_blank'>{link_label}</a>"
self._assert_reg_field(
{"honor_code": "required", "terms_of_service": "required"},
{
@@ -1763,7 +1763,7 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, UserAPITestCase):
# Terms of service field should also be present
link_label = "Terms of Service"
link_template = u"<a href='https://www.test.com/tos' target='_blank'>{link_label}</a>"
link_template = u"<a href='https://www.test.com/tos' rel='noopener' target='_blank'>{link_label}</a>"
self._assert_reg_field(
{"honor_code": "required", "terms_of_service": "required"},
{
@@ -1811,7 +1811,7 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, UserAPITestCase):
link_label = 'Terms of Service'
# Terms of service field should also be present
link_template = u"<a href='/tos' target='_blank'>{link_label}</a>"
link_template = u"<a href='/tos' rel='noopener' target='_blank'>{link_label}</a>"
self._assert_reg_field(
{"honor_code": "required", "terms_of_service": "required"},
{

2
openedx/core/djangoapps/user_authn/views/tests/test_views.py
View File

@@ -710,7 +710,7 @@ class LoginAndRegistrationTest(ThirdPartyAuthTestMixin, UrlResetMixin, ModuleSto
line_break=HTML('<br/>'),
enterprise_name=ec_name,
platform_name=settings.PLATFORM_NAME,
privacy_policy_link_start=HTML(u"<a href='{pp_url}' target='_blank'>").format(
privacy_policy_link_start=HTML(u"<a href='{pp_url}' rel='noopener' target='_blank'>").format(
pp_url=settings.MKTG_URLS.get('PRIVACY', 'https://www.edx.org/edx-privacy-policy')
),
privacy_policy_link_end=HTML("</a>"),

2
openedx/core/lib/license/templates/license.html
View File

@@ -40,7 +40,7 @@ def parse_license(lic):
enabled = ["zero"]
version = license_options.get("ver", "1.0")
%>
<a rel="license" href="https://creativecommons.org/licenses/${'-'.join(enabled)}/${version}/" target="_blank">
<a rel="license" href="https://creativecommons.org/licenses/${'-'.join(enabled)}/${version}/" rel="noopener" target="_blank">
% if button:
<img src="https://licensebuttons.net/l/${'-'.join(enabled)}/${version}/${button_size}.png"
alt="${license}"

2
openedx/features/enterprise_support/utils.py
View File

@@ -116,7 +116,7 @@ def get_enterprise_sidebar_context(enterprise_customer):
line_break=HTML('<br/>'),
enterprise_name=enterprise_customer['name'],
platform_name=platform_name,
privacy_policy_link_start=HTML("<a href='{pp_url}' target='_blank'>").format(
privacy_policy_link_start=HTML("<a href='{pp_url}' rel='noopener' target='_blank'>").format(
pp_url=settings.MKTG_URLS.get('PRIVACY', 'https://www.edx.org/edx-privacy-policy')
),
privacy_policy_link_end=HTML("</a>"),

2
openedx/features/learner_profile/static/learner_profile/templates/social_icons.underscore
View File

@@ -1,7 +1,7 @@
<div class="social-links">
<% for (var platform in socialLinks) { %>
<% if (socialLinks[platform]) { %>
<a target="_blank" href= <%-socialLinks[platform]%>>
<a rel="noopener" target="_blank" href= <%-socialLinks[platform]%>>
<span class="icon fa fa-<%-platform%>-square" data-platform=<%-platform%> aria-hidden="true"></span>
</a>
<% } %>

2
openedx/features/learner_profile/templates/learner_profile/learner-achievements-fragment.html
View File

@@ -35,7 +35,7 @@ from openedx.core.djangolib.markup import HTML, Text
)
%>
% if certificate_url:
<a href="${certificate_url}" target="_blank">
<a href="${certificate_url}" rel="noopener" target="_blank">
<div class="card certificate-card mode-${certificate['type']}">
<div class="card-logo">
<h4 class="sr-only">