paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-02 13:03:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
68cfcd6446bc44eda37456f0d788235f39c3af9e
zulip/static/templates/draft.hbs
Anders Kaseorg 68cfcd6446 CVE-2020-9444: Prevent reverse tabnabbing attacks. 
While we could fix this issue by changing the markdown processor,
doing so is not a robust solution, because even a momentary bug in the
markdown processor could allow cached messages that do not follow our
security policy.

This change ensures that even if our markdown processor has bugs that
result in rendered content that does not properly follow our policy of
using rel="noopener noreferrer" on links, we'll still do something
reasonable.

Co-authored-by: Tim Abbott <tabbott@zulipchat.com>
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-01 14:01:45 -07:00

45 lines
2.1 KiB
Handlebars
Raw Blame History

<div class="draft-row" data-draft-id="{{draft_id}}">
<div class="draft-info-box" tabindex="0">
{{#if is_stream}}
<div class="message_header message_header_stream">
<div class="message-header-contents">
<div class="message_label_clickable stream_label {{dark_background}}"
style="background: {{stream_color}}; border-left-color: {{stream_color}};">
{{stream}}
</div>
<span class="stream_topic">
<div class="message_label_clickable narrows_by_topic">
{{topic}}
</div>
</span>
<div class="recipient_row_date" title="{{t 'Last modified'}}">{{ time_stamp }}</div>
</div>
</div>
{{else}}
<div class="message_header message_header_private_message dark_background">
<div class="message-header-contents">
<div class="message_label_clickable stream_label">
{{#tr this}}You and __recipients__{{/tr}}
</div>
<div class="recipient_row_date" title="{{t 'Last modified'}}">{{ time_stamp }}</div>
</div>
</div>
{{/if}}
<div class="message_row{{^is_stream}} private-message{{/is_stream}}" role="listitem">
<div class="messagebox">
<div class="messagebox-content">
<div class="message_top_line">
<div class="draft_controls">
<i class="fa fa-pencil fa-lg restore-draft" aria-hidden="true" data-toggle="tooltip" title="{{t 'Restore draft' }}"></i>
<i class="fa fa-trash-o fa-lg delete-draft" aria-hidden="true" data-toggle="tooltip" title="{{t 'Delete draft' }} (Backspace)"></i>
</div>
</div>
<div class="message_content rendered_markdown restore-draft" data-toggle="tooltip" title="{{t 'Restore draft' }}">{{rendered_markdown content}}</div>
</div>
</div>
</div>
</div>
</div>
Reference in New Issue View Git Blame Copy Permalink