Skip to content

Commit 15268ee

Browse files
jleveuglejleveugle
committed
add security warning for anchor element (rel attribute)
1 parent 341160f commit 15268ee

File tree

5 files changed

+126
-0
lines changed

5 files changed

+126
-0
lines changed

src/compiler/compile/nodes/Element.ts

+16
Original file line numberDiff line numberDiff line change
@@ -451,6 +451,22 @@ export default class Element extends Node {
451451
const href_attribute = attribute_map.get('href') || attribute_map.get('xlink:href');
452452
const id_attribute = attribute_map.get('id');
453453
const name_attribute = attribute_map.get('name');
454+
const target_attribute = attribute_map.get('target');
455+
456+
if (target_attribute.get_static_value() === '_blank') {
457+
const rel = attribute_map.get('rel');
458+
const rel_values = rel ? rel.get_static_value().split(' ') : [];
459+
const expected_values = ['noopener', 'noreferrer'];
460+
461+
expected_values.forEach(expected_value => {
462+
if (!rel || rel && rel_values.indexOf(expected_value) < 0) {
463+
component.warn(this, {
464+
code: `security-anchor-rel-${expected_value}`,
465+
message: `Security: Anchor with "target=_blank" should have rel attribute containing the value "${expected_value}"`
466+
});
467+
}
468+
});
469+
}
454470

455471
if (href_attribute) {
456472
const href_value = href_attribute.get_static_value();

test/validator/samples/security-anchor-rel-noopener/input.svelte

+8
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
<!-- svelte-ignore security-anchor-rel-noreferrer -->
2+
<a href="https://svelte.dev" target="_blank">svelte website (invalid)</a>
3+
<!-- svelte-ignore security-anchor-rel-noreferrer -->
4+
<a href="https://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
5+
<a href="https://svelte.dev" target="_blank" rel="noreferrer">svelte website (invalid)</a>
6+
<!-- svelte-ignore security-anchor-rel-noreferrer -->
7+
<a href="https://svelte.dev" target="_blank" rel="noopener">svelte website (valid)</a>
8+
<a href="https://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>

test/validator/samples/security-anchor-rel-noopener/warnings.json

+47
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
[
2+
{
3+
"code": "security-anchor-rel-noopener",
4+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
5+
"start": {
6+
"line": 2,
7+
"column": 0,
8+
"character": 54
9+
},
10+
"end": {
11+
"line": 2,
12+
"column": 73,
13+
"character": 127
14+
},
15+
"pos": 54
16+
},
17+
{
18+
"code": "security-anchor-rel-noopener",
19+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
20+
"start": {
21+
"line": 4,
22+
"column": 0,
23+
"character": 182
24+
},
25+
"end": {
26+
"line": 4,
27+
"column": 80,
28+
"character": 262
29+
},
30+
"pos": 182
31+
},
32+
{
33+
"code": "security-anchor-rel-noopener",
34+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
35+
"start": {
36+
"line": 5,
37+
"column": 0,
38+
"character": 263
39+
},
40+
"end": {
41+
"line": 5,
42+
"column": 90,
43+
"character": 353
44+
},
45+
"pos": 263
46+
}
47+
]

test/validator/samples/security-anchor-rel-noreferrer/input.svelte

+8
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
<!-- svelte-ignore security-anchor-rel-noopener -->
2+
<a href="https://svelte.dev" target="_blank">svelte website (invalid)</a>
3+
<!-- svelte-ignore security-anchor-rel-noopener -->
4+
<a href="https://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
5+
<a href="https://svelte.dev" target="_blank" rel="noopener">svelte website (invalid)</a>
6+
<!-- svelte-ignore security-anchor-rel-noopener -->
7+
<a href="https://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
8+
<a href="https://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>

test/validator/samples/security-anchor-rel-noreferrer/warnings.json

+47
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
[
2+
{
3+
"code": "security-anchor-rel-noreferrer",
4+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
5+
"start": {
6+
"line": 2,
7+
"column": 0,
8+
"character": 52
9+
},
10+
"end": {
11+
"line": 2,
12+
"column": 73,
13+
"character": 125
14+
},
15+
"pos": 52
16+
},
17+
{
18+
"code": "security-anchor-rel-noreferrer",
19+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
20+
"start": {
21+
"line": 4,
22+
"column": 0,
23+
"character": 178
24+
},
25+
"end": {
26+
"line": 4,
27+
"column": 80,
28+
"character": 258
29+
},
30+
"pos": 178
31+
},
32+
{
33+
"code": "security-anchor-rel-noreferrer",
34+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
35+
"start": {
36+
"line": 5,
37+
"column": 0,
38+
"character": 259
39+
},
40+
"end": {
41+
"line": 5,
42+
"column": 88,
43+
"character": 347
44+
},
45+
"pos": 259
46+
}
47+
]

0 commit comments

Comments
 (0)