Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External hyperlinks in task descriptions should use rel=noreferrer for security and privacy #5457

Open
4 tasks done
nekohayo opened this issue Apr 27, 2024 · 1 comment
Open
4 tasks done

External hyperlinks in task descriptions should use rel=noreferrer for security and privacy #5457

nekohayo opened this issue Apr 27, 2024 · 1 comment
Labels
behaves correctly

Comments

@nekohayo
Copy link
Contributor

nekohayo commented Apr 27, 2024
edited

Checklist

  • I verified that Kanboard is correctly installed
  • I verified that the problem does not come from a plugin
  • I verified that the problem is not already reported
  • I understand that Kanboard is in maintenance mode. It doesn't mean it's abandoned, but there is no significant feature development

Actual behaviour

Hyperlinks generated from Markdown hyperlinks or bare URLs in task descriptions do not have any attributes/tags associated with them. The problem is, this will open in the same tab and pass on the source/referrer information to the destination website, which is certainly not something you'd want from a private/personal kanban board.

Expected behaviour

In task details pages, and task description hover tooltips inside a board view (or anywhere else where a task description may be shown), hyperlinks to external websites should have:

  • The rel=noreferrer attribute (see this MDN information page; apparently this implicitly includes noopener too)
  • Probably target=_blank too so that it opens in a new tab, instead of replacing the kanboard task page
  • Maybe also the title=the_URL attribute to display the URL as a direct tooltip on hover when a "pretty" (non-bare) hyperlink is used, though that's probably less necessary as the browser can also reveal the URL through the statusbar

Steps to reproduce

Write a hyperlink into the description of a task, such as this for example:

We should do something like [this website](https://some_example_untrusted_website.com), it's pretty cool but their tracking is worrisome.

...then inspect the resulting HTML code with the browser's web inspector (F12).

Configuration

  • Kanboard version: 1.2.35
  • Database type and version: SQLite 3.40.1
  • PHP version: 8.2.18
  • OS: Fedora 39
  • Browser: Firefox 125
@fguillot
Copy link
Member

fguillot commented May 3, 2024

Kanboard is already doing that. There is a meta tag that applies the no-referrer rule to all outgoing links.

kanboard/app/Template/layout.php

Line 9 in fc72abd

<meta name="referrer" content="no-referrer">

You can verify that no referrer is sent to third-party website by making a Markdown link to https://httpbin.org/headers for example.

Regarding the target=_blank, apparently it's a bad practice in term of accessibility, especially for those using a screen reader.

More info here:

Adding target=_blank everywhere would prevent people to use the default browser behavior (opening the link the in current tab). Looks like GitHub Issues made this choice as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
behaves correctly
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fguillot @nekohayo