UNPKG

@gitlab/ui

Version:

GitLab UI Components

gitlab.com/gitlab-org/gitlab-ui

38 lines (29 loc) 1.13 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
A Vue directive to make the hyperlinks secure by default. ## Security measures ### rel When setting target to `_blank`, the rel attribute gets set automatically to `noopener noreferrer`, this is done to avoid the `window.opener` [API exploit]. If you set the `rel` attribute manually, this will overwrite the aforementioned logic. ### href This directive enforces "safe" URLs. What this means is that, if the provided `href` doesn't point to a safe protocol (one of `http:`, `https:`, `mailto:` or `ftp:`), then it is replaced with `about:blank` to prevent [URL injections]. ```html <script> import { GlSafeLinkDirective as SafeLink } from '@gitlab/ui'; export default { data() { return { url: 'javascript:alert(1)', }; }, directives: { SafeLink }, }; </script> <template> <a v-safe-link href="url" target="_blank">Click</a> <!-- Renders to: <a href="about:blank" target="_blank">Click</a> --> </template> ``` [API exploit]: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/ [URL injections]: https://vuejs.org/v2/guide/security.html#Injecting-URLs