You need to be logged in to post in the forum - Log In
An active JCE Pro Subscription is required to post in the forum - Buy a Subscription
- Support
- Forum
- JCE Editor
- _blank vulnerability, whilst using JCE's Target: Open in New Window?
Support is currently Online
Official support hours:
Monday To Friday
From 09:00 To 17:00 Europe/London (BST)
From 09:00 To 17:00 Europe/London (BST)
Hi There,
I happened upon this issue https://dev.to/ben/the-targetblank-vulnerability-by-example that admittedly seems to have been around for quite a long time, but I'm only just aware of it. Naturally, this then made me concerned as to how JCE's open in blank windows actually works?
What is its structure?
Does it already cover this vulnerability, whilst not JCE's direct one itself - I wonder how many Joomla owners are utilizing _blank to open their / external content in their JCE editor parameters etc?
I look forward to your thoughts, or possible addition / workaround for within JCE itself going forward.
Regards,
I happened upon this issue https://dev.to/ben/the-targetblank-vulnerability-by-example that admittedly seems to have been around for quite a long time, but I'm only just aware of it. Naturally, this then made me concerned as to how JCE's open in blank windows actually works?
What is its structure?
Does it already cover this vulnerability, whilst not JCE's direct one itself - I wonder how many Joomla owners are utilizing _blank to open their / external content in their JCE editor parameters etc?
I look forward to your thoughts, or possible addition / workaround for within JCE itself going forward.
Regards,
I have fixed this in JCE Pro 2.6.9 Beta6 - https://www.joomlacontenteditor.net/downloads/editor/pro/item/jce-pro-269-dev
When the target is set to "_blank", rel="noopener noreferrer" is added to the link.
When the target is set to "_blank", rel="noopener noreferrer" is added to the link.
Just because you're not paranoid doesn't mean everybody isn't out to get you.
I have fixed this in JCE Pro 2.6.9 Beta6 - https://www.joomlacontenteditor.net/downloads/editor/pro/item/jce-pro-269-dev
When the target is set to "_blank", rel="noopener noreferrer" is added to the link.
When the target is set to "_blank", rel="noopener noreferrer" is added to the link.
Just because you're not paranoid doesn't mean everybody isn't out to get you.
Hi Ryan,
Thanks for the reply. Can I clarify, is the fix / tweak you mention above and in the beta version, something you'd previously done or just since I mentioned the original topic?
Just unsure as to whether to await your next stable release, as opposed to a beta is all - so further clarification would be much appreciated.
Thanks in advance.
Thanks for the reply. Can I clarify, is the fix / tweak you mention above and in the beta version, something you'd previously done or just since I mentioned the original topic?
Just unsure as to whether to await your next stable release, as opposed to a beta is all - so further clarification would be much appreciated.
Thanks in advance.
Thanks for the reply. Can I clarify, is the fix / tweak you mention above and in the beta version, something you'd previously done or just since I mentioned the original topic?
I added this after you mentioned it (the same has been done in Tinymce recently). The fix will be included in JCE Pro 2.6.9
Please note that this will not fix existing links that use target="_blank".
Just because you're not paranoid doesn't mean everybody isn't out to get you.
Ahhh, that's great news and thank you for the swift addition to cover off this vulnerability risk within JCE as many Joomlers editor of choice.
I appreciate it cannot apply this fix to existing link but I don't mind spending an evening re-linking all relevant links within my site, it's a small price to pay I'm sure you will agree.
Thank you heaps, great work!
I appreciate it cannot apply this fix to existing link but I don't mind spending an evening re-linking all relevant links within my site, it's a small price to pay I'm sure you will agree.
Thank you heaps, great work!
I appreciate it cannot apply this fix to existing link but I don't mind spending an evening re-linking all relevant links within my site, it's a small price to pay I'm sure you will agree.
You could do a DB find and replace using DBReplacer - https://www.regularlabs.com/extensions/dbreplacer
Search for target="_blank" and replace with with target="_blank" rel="noopener noreferrer"
Just because you're not paranoid doesn't mean everybody isn't out to get you.
- Page :
- 1
There are no replies made for this post yet.
Be one of the first to reply to this post!
Be one of the first to reply to this post!