-
- Downloads
[IMP] Prevent reverse tabnabbing in plaintext2html, linkify, _makeLink
These functions convert plain text links into clickable hyperlinks.
These open in new tabs but did not have the "noreferrer noopener" rel
attributes, which made them susceptible to reverse tabnabbing.
A lot of attack vectors were available to unregistered, uninvited
anonymous users and presented a significant phishing threat (such as
posting links in the instant-chat, through a mail-alias, in a forum post
or in a twitter post) and leading the operator to believe he had been
disconnected from odoo in the original tab, prompting them to enter
their credentials.
while these three places will add the noreferrer and noopener attributes
on the anchor tags generated by them, there are still many places that
create hyperlinks without the use of these functions, although most of
them are static links, they still represent a transitive security
vulnerability to the linked sites.
There are also a few modules and widgets that roll out their own links
or open new tabs unsafely using window.open(), these will need to be
patched separately.
closes odoo/odoo#37591
Signed-off-by: 
Olivier Dony (odo) <odo@openerp.com>
Showing
- addons/mail/static/src/js/utils.js 3 additions, 0 deletionsaddons/mail/static/src/js/utils.js
- addons/website_twitter/static/src/js/website.twitter.animation.js 1 addition, 0 deletions...ebsite_twitter/static/src/js/website.twitter.animation.js
- odoo/tools/mail.py 1 addition, 1 deletionodoo/tools/mail.py
Loading
Please register or sign in to comment