Skip to content
This repository was archived by the owner on Mar 21, 2025. It is now read-only.

Potentially unsafe external link #3524

Open
Onyx2406 opened this issue Jun 20, 2023 · 1 comment
Open

Potentially unsafe external link #3524

Onyx2406 opened this issue Jun 20, 2023 · 1 comment

Comments

@Onyx2406
Copy link

Description

The issue lies within the 'bulkimportusers.html' file and other files where we're using an external link to open a new tab or window. The problem is that the new page could potentially access the original page's information, posing a security risk. Detected by CodeQL deployed on forked repository.

Steps to Reproduce

  1. Open the 'bulkimportusers.html' file, which can be found in the app/views/organization/bulkimport directory.
  2. Check out the HTML link element on line 93 that is opening a new tab or window.

Expected Behaviour

Any external link that opens in a new tab or window should be secure and not expose any sensitive data from the original page.

Actual Behaviour

Our external link is not currently using the rel="noopener noreferrer" attribute, which means the new page could access information from our original page.

Settings

  • Mifos X version: Develop Branch
  • Browser used: Firefox
  • OS: Windows 11

Screenshots

image

References

Mathias Bynens: About rel=noopener
Mozilla Developer Network: HTML Anchor Element
Common Weakness Enumeration: CWE-200
Common Weakness Enumeration: CWE-1022
@Onyx2406 Onyx2406 mentioned this issue Jun 20, 2023
Open
2 tasks
@godfreykutumela
Copy link

Thanks @Onyx2406 @edcable this is potentially dangerous so we should address it as part of the priority security backlog.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Onyx2406 @godfreykutumela