8000 manage more case for security warnings on anchorr (aplocks, false pos… · sveltejs/svelte@d3db369 · GitHub
[go: up one dir, main page]
Skip to content

Commit d3db369

Browse files
jleveuglejleveugle
committed
manage more case for security warnings on anchorr (aplocks, false positive ...)
1 parent 93887f2 commit d3db369

File tree

5 files changed

+215
-3
lines changed

5 files changed

+215
-3
lines changed

src/compiler/compile/nodes/Element.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -399,7 +399,7 @@ export default class Element extends Node {
399399
if (target_attribute && target_attribute.get_static_value() === '_blank' && href_attribute) {
400400
const href_static_value = href_attribute.get_static_value() ? href_attribute.get_static_value().toLowerCase() : null;
401401

402-
if (href_static_value === null || href_static_value.startsWith('http') || href_static_value.startsWith('//')) {
402+
if (href_static_value === null || href_static_value.match(/^(https?:)?\/\//i)) {
403403
const rel = attribute_map.get('rel');
404404
const rel_values = rel ? rel.get_static_value().split(' ') : [];
405405
const expected_values = ['noopener', 'noreferrer'];

test/validator/samples/security-anchor-rel-noopener/input.svelte

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,16 @@
1919
<a href="http://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
2020
<a href="http://svelte.dev" target="_blank" rel="noreferrer">svelte website (invalid)</a>
2121
<!-- svelte-ignore security-anchor-rel-noreferrer -->
22+
<a href="HTTP://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
23+
<a href="HTTP://svelte.dev" target="_blank" rel="noreferrer">svelte website (invalid)</a>
24+
<!-- svelte-ignore security-anchor-rel-noreferrer -->
25+
<a href="HTTPS://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
26+
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer">svelte website (invalid)</a>
27+
<!-- svelte-ignore security-anchor-rel-noreferrer -->
28+
<a href="HTTP://svelte.dev" target="_blank">svelte website (invalid)</a>
29+
<!-- svelte-ignore security-anchor-rel-noreferrer -->
30+
<a href="HTTPS://svelte.dev" target="_blank">svelte website (invalid)</a>
31+
<!-- svelte-ignore security-anchor-rel-noreferrer -->
2232
<a href="same-host" target="_blank">Same host (valid)</a>
2333
<!-- svelte-ignore security-anchor-rel-noreferrer -->
2434
<a href="same-host" target="_blank" rel="">Same host (valid)</a>
@@ -30,5 +40,11 @@
3040
<a href="https://svelte.dev" target="_blank" rel="noopener">svelte website (valid)</a>
3141
<a href="https://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
3242
<!-- svelte-ignore security-anchor-rel-noreferrer -->
43+
<a href="HTTP://svelte.dev" target="_blank" rel="noopener">svelte website (valid)</a>
44+
<a href="HTTP://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
45+
<!-- svelte-ignore security-anchor-rel-noreferrer -->
46+
<a href="HTTPS://svelte.dev" target="_blank" rel="noopener">svelte website (valid)</a>
47+
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
48+
<!-- svelte-ignore security-anchor-rel-noreferrer -->
3349
<a href="//svelte.dev" target="_blank& 6D40 quot; rel="noopener">svelte website (valid)</a>
3450
<a href="//svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>

test/validator/samples/security-anchor-rel-noopener/warnings.json

Lines changed: 91 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -178,5 +178,95 @@
178178
"column": 0,
179179
"line": 20
180180
}
181-
}
181+
},
182+
{
183+
"code": "security-anchor-rel-noopener",
184+
"end": {
185+
"character": 1534,
186+
"column": 79,
187+
"line": 22
188+
},
189+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
190+
"pos": 1455,
191+
"start": {
192+
"character": 1455,
193+
"column": 0,
194+
"line": 22
195+
}
196+
},
197+
{
198+
"code": "security-anchor-rel-noopener",
199+
"end": {
200+
"character": 1624,
201+
"column": 89,
202+
"line": 23
203+
},
204+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
205+
"pos": 1535,
206+
"start": {
207+
"character": 1535,
208+
"column": 0,
209+
"line": 23
210+
}
211+
},
212+
{
213+
"code": "security-anchor-rel-noopener",
214+
"end": {
215+
"character": 1759,
216+
"column": 80,
217+
"line": 25
218+
},
219+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
220+
"pos": 1679,
221+
"start": {
222+
"character": 1679,
223+
"column": 0,
224+
"line": 25
225+
}
226+
},
227+
{
228+
"code": "security-anchor-rel-noopener",
229+
"end": {
230+
"character": 1850,
231+
"column": 90,
232+
"line": 26
233+
},
234+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
235+
"pos": 1760,
236+
"start": {
237+
"character": 1760,
238+
"column": 0,
239+
"line": 26
240+
}
241+
},
242+
{
243+
"code": "security-anchor-rel-noopener",
244+
"end": {
245+
"character": 1977,
246+
"column": 72,
247+
"line": 28
248+
},
249+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
250+
"pos": 1905,
251+
"start": {
252+
"character": 1905,
253+
"column": 0,
254+
"line": 28
255+
}
256+
},
257+
{
258+
"code": "security-anchor-rel-noopener",
259+
"end": {
260+
"character": 2105,
261+
"column": 73,
262+
"line": 30
263+
},
264+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noopener\"",
265+
"pos": 2032,
266+
"start": {
267+
"character": 2032,
268+
"column": 0,
269+
"line": 30
270+
}
271+
}
182272
]

test/validator/samples/security-anchor-rel-noreferrer/input.svelte

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,16 @@
1919
<a href="http://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
2020
<a href="http://svelte.dev" target="_blank" rel="noopener">svelte website (invalid)</a>
2121
<!-- svelte-ignore security-anchor-rel-noopener -->
22+
<a href="HTTP://svelte.dev" target="_blank">svelte website (invalid)</a>
23+
<!-- svelte-ignore security-anchor-rel-noopener -->
24+
<a href="HTTP://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
25+
<a href="HTTP://svelte.dev" target="_blank" rel="noopener">svelte website (invalid)</a>
26+
<!-- svelte-ignore security-anchor-rel-noopener -->
27+
<a href={'HTTPS://svelte.dev'} target="_blank">svelte website (invalid)</a>
28+
<!-- svelte-ignore security-anchor-rel-noopener -->
29+
<a href={'HTTPS://svelte.dev'} target="_blank" rel="">svelte website (invalid)</a>
30+
<a href={'HTTPS://svelte.dev'} target="_blank" rel="noopener">svelte website (invalid)</a>
31+
<!-- svelte-ignore security-anchor-rel-noopener -->
2232
<a href="same-host" target="_blank">Same host (valid)</a>
2333
<!-- svelte-ignore security-anchor-rel-noopener -->
2434
<a href="same-host" target="_blank" rel="">Same host (valid)</a>
@@ -27,8 +37,14 @@
2737
<a href="http://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
2838
<a href="http://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
2939
<!-- svelte-ignore security-anchor-rel-noopener -->
40+
<a href="HTTP://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
41+
<a href="HTTP://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
42+
<!-- svelte-ignore security-anchor-rel-noopener -->
3043
<a href="https://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
3144
<a href="https://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
3245
<!-- svelte-ignore security-anchor-rel-noopener -->
46+
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
47+
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
48+
<!-- svelte-ignore security-anchor-rel-noopener -->
3349
<a href="//svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
3450
<a href="//svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>

test/validator/samples/security-anchor-rel-noreferrer/warnings.json

Lines changed: 91 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -178,5 +178,95 @@
178178
"column": 0,
179179
"line": 20
180180
}
181-
}
181+
},
182+
{
183+
"code": "security-anchor-rel-noreferrer",
184+
"end": {
185+
"character": 1501,
186+
"column": 72,
187+
"line": 22
188+
},
189+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
190+
"pos": 1429,
191+
"start": {
192+
"character": 1429,
193+
"column": 0,
194+
"line": 22
195+
}
196+
},
197+
{
198+
"code": "security-anchor-rel-noreferrer",
199+
"end": {
200+
"character": 1633,
201+
"column": 79,
202+
"line": 24
203+
},
204+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
205+
"pos": 1554,
206+
"start": {
207+
"character": 1554,
208+
"column": 0,
209+
"line": 24
210+
}
211+
},
212+
{
213+
"code": "security-anchor-rel-noreferrer",
214+
"end": {
215+
"character": 1721,
216+
"column": 87,
217+
"line": 25
218+
},
219+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
220+
"pos": 1634,
221+
"start": {
222+
"character": 1634,
223+
"column": 0,
224+
"line": 25
225+
}
226+
},
227+
{
228+
"code": "security-anchor-rel-noreferrer",
229+
"end": {
230+
"character": 1849,
231+
"column": 75,
232+
"line": 27
233+
},
234+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
235+
"pos": 1774,
236+
"start": {
237+
"character": 1774,
238+
"column": 0,
239+
"line": 27
240+
}
241+
},
242+
{
243+
"code": "security-anchor-rel-noreferrer",
244+
"end": {
245+
"character": 1984,
246+
"column": 82,
247+
"line": 29
248+
},
249+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
250+
"pos": 1902,
251+
"start": {
252+
"character": 1902,
253+
"column": 0,
254+
"line": 29
255+
}
256+
},
257+
{
258+
"code": "security-anchor-rel-noreferrer",
259+
"end": {
260+
"character": 2075,
261+
"column": 90,
262+
"line": 30
263+
},
264+
"message": "Security: Anchor with \"target=_blank\" should have rel attribute containing the value \"noreferrer\"",
265+
"pos": 1985,
266+
"start": {
267+
"character": 1985,
268+
"column": 0,
269+
"line": 30
270+
}
271+
}
182272
]

0 commit comments

Comments
 (0)
0