From 1a4d926a54d1abf7e22785437f51efdd6d14170d Mon Sep 17 00:00:00 2001
From: Tom Gross <itconsense@gmail.com>
Date: Wed, 29 Apr 2020 09:43:33 +0200
Subject: [PATCH] Fix redirection vulnerability and adjust external links
---
.../registration/_content/registration.html | 6 +--
.../dev/controller/_content/sourceview.html | 4 +-
.../olat/gui/control/_content/olatFooter.html | 2 +-
.../org/olat/gui/demo/_content/guidemo.html | 2 +-
.../java/org/olat/login/_content/about.html | 50 +++++++++----------
5 files changed, 32 insertions(+), 32 deletions(-)
diff --git a/src/main/java/org/olat/admin/registration/_content/registration.html b/src/main/java/org/olat/admin/registration/_content/registration.html
index cb8b3165bab..3e1da8df18f 100644
--- a/src/main/java/org/olat/admin/registration/_content/registration.html
+++ b/src/main/java/org/olat/admin/registration/_content/registration.html
@@ -7,13 +7,13 @@
#end
<div class="o_info">
- <a href='http://www.openolat.org' target='_blank' class="pull-right">
+ <a href='https://www.openolat.org' target='_blank' class="pull-right" rel="noopener noreferrer">
<img src='$r.staticLink("images/openolat/openolat_logo_claim_rgb.png")' alt='OpenOlat' style="max-width: 400px;"/>
</a>
<p>$r.translate("registration.statistics")</p>
<p>$r.translate("registration.sustainability")</p>
<p>$r.translate("registration.website")</p>
- <p>$r.translate("registration.thanks", "<a href='http://www.openolat.org' target='_blank'><i class='o_icon o_icon_link_extern'> </i> www.openolat.org</a>")</p>
+ <p>$r.translate("registration.thanks", "<a href='https://www.openolat.org' target='_blank' rel='noopener noreferrer'><i class='o_icon o_icon_link_extern'> </i> www.openolat.org</a>")</p>
</div>
$r.render("settings")
@@ -28,4 +28,4 @@ $r.render("settings")
</tr>
#end
</tbody></table>
-</div>
\ No newline at end of file
+</div>
diff --git a/src/main/java/org/olat/core/gui/dev/controller/_content/sourceview.html b/src/main/java/org/olat/core/gui/dev/controller/_content/sourceview.html
index c1341ecf34d..6961a0f5742 100644
--- a/src/main/java/org/olat/core/gui/dev/controller/_content/sourceview.html
+++ b/src/main/java/org/olat/core/gui/dev/controller/_content/sourceview.html
@@ -3,5 +3,5 @@
<textarea cols="20" rows="30">$content</textarea>
</form>
<p>
-<a target="_blank" href="http://velocity.apache.org/engine/devel/vtl-reference-guide.html">Click for reference info about the Apache Velocity Template Language</a>
-</p>
\ No newline at end of file
+<a target="_blank" href="https://velocity.apache.org/engine/2.2/vtl-reference.html" rel="noopener noreferrer">Click for reference info about the Apache Velocity Template Language</a>
+</p>
diff --git a/src/main/java/org/olat/gui/control/_content/olatFooter.html b/src/main/java/org/olat/gui/control/_content/olatFooter.html
index 70b3824b4b0..777c1d2cda7 100644
--- a/src/main/java/org/olat/gui/control/_content/olatFooter.html
+++ b/src/main/java/org/olat/gui/control/_content/olatFooter.html
@@ -22,7 +22,7 @@
</div>
#end
<div id="o_footer_powered" class="clearfix">
- <a href="https://www.openolat.org" target="_blank" title="OpenOlat - infinite learning">
+ <a href="https://www.openolat.org" target="_blank" title="OpenOlat - infinite learning" rel="noopener noreferrer">
<img src="$r.staticLink("images/openolat/openolat_powerd_by_120x30.png")" alt="powered by OpenOlat" />
</a>
</div>
diff --git a/src/main/java/org/olat/gui/demo/_content/guidemo.html b/src/main/java/org/olat/gui/demo/_content/guidemo.html
index 94ba641e528..0fd5dbb1725 100644
--- a/src/main/java/org/olat/gui/demo/_content/guidemo.html
+++ b/src/main/java/org/olat/gui/demo/_content/guidemo.html
@@ -6,4 +6,4 @@ On the following pages you'll find a demonstration of the OLAT Framework functio
Choose from the menu on your left. From each demo element you can view the source code by clicking the source code link. Every output consists of
Java code in a controller <i>(BasicController.java)</i> and a velocity page which renders the HTML output based on variables that are put into the velocity context.
</p>
-<p>More information regarding OLAT development you will get <a target="_blank" href="http://openolat.org">here.</a></p>
+<p>More information regarding OLAT development you will get <a target="_blank" href="https://openolat.org" rel="noopener noreferrer">here.</a></p>
diff --git a/src/main/java/org/olat/login/_content/about.html b/src/main/java/org/olat/login/_content/about.html
index 34ba2b8b9fe..677af2ae3ce 100644
--- a/src/main/java/org/olat/login/_content/about.html
+++ b/src/main/java/org/olat/login/_content/about.html
@@ -1,5 +1,5 @@
<p class="clearfix o_large">
- <a href="http://www.openolat.org" target="_blank">
+ <a href="https://www.openolat.org" target="_blank" rel="noopener noreferrer">
<img border="0" class="pull-left" src="$r.staticLink("images/openolat/openolat_logo_claim_rgb.png")" alt="$r.translate("about.title")" />
</a>
</p>
@@ -20,7 +20,7 @@
LMS OpenOlat
</h2>
<p>
- <a href="http://www.openolat.org" target="_blank" class="o_link_extern">http://www.openolat.org</a>
+ <a href="https://www.openolat.org" target="_blank" class="o_link_extern" rel="noopener noreferrer">www.openolat.org</a>
<br />
<span class="text-muted">
$r.translate("about.version") $r.getVersion()
@@ -30,13 +30,13 @@
$r.translate("about.history")
</p>
<p class="o_block_large">
- <a href="https://www.frentix.com/testbericht-openolat-2020-sehr-gut/" target="_blank" title="The OpenOlat LMS got a high score in the e-learning journal ranking">
+ <a href="https://www.frentix.com/testbericht-openolat-2020-sehr-gut/" target="_blank" title="The OpenOlat LMS got a high score in the e-learning journal ranking" rel="noopener noreferrer">
<img border="0" src="$r.staticLink("images/openolat/openolat-test-sehr-gut_large.png")" alt="The OpenOlat LMS got a high score in the e-learning journal ranking" style="display: inline-block; padding-left: 2em; padding-bottom: 2em; max-width: 40%; max-height: 200px;" />
</a>
- <a href="http://www.comenius-award.de" target="_blank" title="The OpenOlat LMS wins a comenius edu media award">
+ <a href="https://www.comenius-award.de" target="_blank" title="The OpenOlat LMS wins a comenius edu media award" rel="noopener noreferrer">
<img border="0" src="$r.staticLink("images/openolat/openolat_comeniusedumed_2017.png")" alt="The OpenOlat LMS wins a comenius edu media award" style="display: inline-block; padding-left: 2em; padding-bottom: 2em; max-width: 40%; max-height: 200px;" />
</a>
- <a href="https://www.frentix.com/wp-uploads/2019/06/eLearning-Jahrbuch-2019_OpenOlat_Pruefungsserver_Award.pdf" target="_blank" title="The OpenOlat LMS wins the e-learning award in the category e-testing">
+ <a href="https://www.frentix.com/wp-uploads/2019/06/eLearning-Jahrbuch-2019_OpenOlat_Pruefungsserver_Award.pdf" target="_blank" title="The OpenOlat LMS wins the e-learning award in the category e-testing" rel="noopener noreferrer">
<img border="0" src="$r.staticLink("images/openolat/openolat-award-etesting.png")" alt="The OpenOlat LMS wins the e-learning award in the category e-testing" style="display: inline-block; padding-left: 2em; padding-bottom: 2em; max-width: 40%; max-height: 200px;" />
</a>
</p>
@@ -44,17 +44,17 @@
$r.translate("about.elearningjournal.test.2015")
</p>
<p>
- <a href="https://www.frentix.com/wp-uploads/2020/04/eLJ12020_TEST_Frentix.pdf" target="_blank" class="o_link_extern">
+ <a href="https://www.frentix.com/wp-uploads/2020/04/eLJ12020_TEST_Frentix.pdf" target="_blank" class="o_link_extern" rel="noopener noreferrer">
<i class="o_icon o_filetype_pdf"> </i>
Testbericht OpenOlat 15
</a>
|
- <a href="https://www.elearning-journal.com/index.php?id=12" target="_blank" class="text-muted o_link_extern">
+ <a href="https://www.elearning-journal.com/index.php?id=12" target="_blank" class="text-muted o_link_extern" rel="noopener noreferrer">
<i class="o_icon o_icon_external_link"> </i>
eLearning Journal
</a>
|
- <a href="https://www.frentix.com/wp-uploads/2019/06/eLearning-Jahrbuch-2019_OpenOlat_Pruefungsserver_Award.pdf" target="_blank" class="text-muted o_link_extern">
+ <a href="https://www.frentix.com/wp-uploads/2019/06/eLearning-Jahrbuch-2019_OpenOlat_Pruefungsserver_Award.pdf" target="_blank" class="text-muted o_link_extern" rel="noopener noreferrer">
<i class="o_icon o_filetype_pdf"> </i>
eLearning Journal eTesting Award 2019
</a>
@@ -68,9 +68,9 @@
$r.translate("about.social")
</p>
<p>
- <a href="http://www.twitter.com/OpenOlat" target="_blank"><i class="o_icon o_icon_twitter o_icon-3x"> </i></a>
- <a href="https://www.linkedin.com/groups/1473557/" target="_blank"><i class="o_icon o_icon_linkedin o_icon-3x"> </i></a>
- <a href="https://www.youtube.com/channel/UCM8o2nsnXMRF7bMj82l-hKw" target="_blank"><i class="o_icon o_icon_youtube o_icon-3x"> </i></a>
+ <a href="https://www.twitter.com/OpenOlat" target="_blank" rel="noopener noreferrer"><i class="o_icon o_icon_twitter o_icon-3x"> </i></a>
+ <a href="https://www.linkedin.com/groups/1473557/" target="_blank" rel="noopener noreferrer"><i class="o_icon o_icon_linkedin o_icon-3x"> </i></a>
+ <a href="https://www.youtube.com/channel/UCM8o2nsnXMRF7bMj82l-hKw" target="_blank" rel="noopener noreferrer"><i class="o_icon o_icon_youtube o_icon-3x"> </i></a>
</p>
</div>
@@ -108,56 +108,56 @@
<tbody>
<tr>
<td>Gold</td>
- <td><a href="http://www.uibk.ac.at" target="_blank" class="o_extern">Universität Innsbruck</a></td>
+ <td><a href="https://www.uibk.ac.at" target="_blank" class="o_extern" rel="noopener noreferrer">Universität Innsbruck</a></td>
</tr>
<tr>
<td>Gold</td>
- <td><a href="https://www.vcrp.de" target="_blank" class="o_extern">Virtueller Campus Rheinland-Pfalz, VCRP</a></td>
+ <td><a href="https://www.vcrp.de" target="_blank" class="o_extern" rel="noopener noreferrer">Virtueller Campus Rheinland-Pfalz, VCRP</a></td>
</tr>
<tr>
<td>Silver</td>
- <td><a href="https://www.hs-furtwangen.de" target="_blank" class="o_extern">Hochschule Furtwangen, HFU</a></td>
+ <td><a href="https://www.hs-furtwangen.de" target="_blank" class="o_extern" rel="noopener noreferrer">Hochschule Furtwangen, HFU</a></td>
</tr>
<tr>
<td>Bronze</td>
- <td><a href="https://www.bzgbs.ch" target="_blank" class="o_extern">BZG Bildungszentrum Gesundheit Basel-Stadt</a></td>
+ <td><a href="https://www.bzgbs.ch" target="_blank" class="o_extern" rel="noopener noreferrer">BZG Bildungszentrum Gesundheit Basel-Stadt</a></td>
</tr>
<tr>
<td>Bronze</td>
- <td><a href="https://www.hfgs.ch" target="_blank" class="o_extern">Höheren Fachschule Gesundheit und Soziales, HFGS</a></td>
+ <td><a href="https://www.hfgs.ch" target="_blank" class="o_extern" rel="noopener noreferrer">Höheren Fachschule Gesundheit und Soziales, HFGS</a></td>
</tr>
<tr>
<td>Bronze</td>
- <td><a href="https://www.fhnw.ch/sozialearbeit" target="_blank" class="o_extern">Fachhochschule Nordwestschweiz FHNW,
+ <td><a href="https://www.fhnw.ch/de/die-fhnw/hochschulen/soziale-arbeit" target="_blank" class="o_extern" rel="noopener noreferrer">Fachhochschule Nordwestschweiz FHNW,
Hochschule für Soziale Arbeit</a></td>
</tr>
<tr>
<td>Bronze</td>
- <td><a href="https://www.uni-kiel.de" target="_blank" class="o_extern">Christian-Albrechts-Universität zu Kiel, CAU</a></td>
+ <td><a href="https://www.uni-kiel.de" target="_blank" class="o_extern" rel="noopener noreferrer">Christian-Albrechts-Universität zu Kiel, CAU</a></td>
</tr>
<tr>
<td>Bronze</td>
- <td><a href="https://www.bbw.ch" target="_blank" class="o_extern">Berufsbildungsschule Winterthur BBW</a></td>
+ <td><a href="https://www.bbw.ch" target="_blank" class="o_extern" rel="noopener noreferrer">Berufsbildungsschule Winterthur BBW</a></td>
</tr>
<tr>
<td>Bronze</td>
- <td><a href="https://www.uni-hamburg.de" target="_blank" class="o_extern">Universität Hamburg, UHH</a></td>
+ <td><a href="https://www.uni-hamburg.de" target="_blank" class="o_extern" rel="noopener noreferrer">Universität Hamburg, UHH</a></td>
</tr>
<tr>
<td>Bronze</td>
- <td><a href="https://www.ibw.ch" target="_blank" class="o_extern">Höhere Fachschule Südostschweiz, ibW</a></td>
+ <td><a href="https://www.ibw.ch" target="_blank" class="o_extern" rel="noopener noreferrer">Höhere Fachschule Südostschweiz, ibW</a></td>
</tr>
<tr>
<td>Bronze</td>
- <td><a href="https://www.zag.zh.ch" target="_blank" class="o_extern">Zentrum für Ausbildung im Gesundheitswesen Kanton Zürich, ZAG</a></td>
+ <td><a href="https://www.zag.zh.ch" target="_blank" class="o_extern" rel="noopener noreferrer">Zentrum für Ausbildung im Gesundheitswesen Kanton Zürich, ZAG</a></td>
</tr>
<tr>
<td>Bronze</td>
- <td><a href="https://juventus.ch" target="_blank" class="o_extern">Juventus Schulen</a></td>
+ <td><a href="https://juventus.ch" target="_blank" class="o_extern" rel="noopener noreferrer">Juventus Schulen</a></td>
</tr>
<tr>
<td>Bronze</td>
- <td><a href="https://www.kalaidos.ch" target="_blank" class="o_extern">Kalaidos Bildungsgruppe Schweiz</a></td>
+ <td><a href="https://www.kalaidos.ch" target="_blank" class="o_extern" rel="noopener noreferrer">Kalaidos Bildungsgruppe Schweiz</a></td>
</tr>
</tbody>
</table>
@@ -194,4 +194,4 @@ $licenses
<div class="o_button_group">
$r.render("close")
-</div>
\ No newline at end of file
+</div>
--
GitLab