[BUGFIX] Set rel="noopener noreferrer" for external links 77/61577/3
authorFrank Naegler <frank.naegler@typo3.org>
Thu, 29 Aug 2019 14:21:45 +0000 (16:21 +0200)
committerAndreas Fernandez <a.fernandez@scripting-base.de>
Fri, 30 Aug 2019 06:51:36 +0000 (08:51 +0200)
This patch adds rel="noopener noreferrer" for external links in
backend and install tool for security reasons.
If this is not set, the other page can access the window object
with the window.opener property.

Resolves: #89044
Releases: master, 9.5, 8.7
Change-Id: Ib3ceaf87ad0541cc8603ef0d02c95e0b4ef43d4e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61577
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Guido Schmechel <guido.schmechel@brandung.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Guido Schmechel <guido.schmechel@brandung.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
16 files changed:
typo3/sysext/about/Resources/Private/Language/Modules/about.xlf
typo3/sysext/about/Resources/Private/Partials/Donation.html
typo3/sysext/backend/Classes/Controller/PageLayoutController.php
typo3/sysext/backend/Classes/Utility/BackendUtility.php
typo3/sysext/backend/Resources/Private/Language/locallang_login.xlf
typo3/sysext/backend/Resources/Private/Layouts/Login.html
typo3/sysext/core/Classes/Error/DebugExceptionHandler.php
typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
typo3/sysext/core/Resources/Private/Templates/ErrorPage/Error.html
typo3/sysext/extensionmanager/Resources/Private/Templates/List/ShowAllVersions.html
typo3/sysext/install/Classes/UpgradeAnalysis/DocumentationFile.php
typo3/sysext/install/Resources/Private/Templates/Maintenance/Cards.html
typo3/sysext/install/Resources/Private/Templates/Upgrade/Cards.html
typo3/sysext/install/Resources/Private/Templates/Upgrade/ExtensionScanner.html
typo3/sysext/linkvalidator/Resources/Private/Templates/mod_template.html
typo3/sysext/workspaces/Resources/Private/Templates/Preview/Index.html

index d90418f..dd0d146 100644 (file)
                                <source>TYPO3 CMS - Professional Web Content Management System</source>
                        </trans-unit>
                        <trans-unit id="minor">
-                               <source>TYPO3 CMS is an enterprise-class, Open Source Content Management System, used internationally to build and manage websites of all types, from small sites for non-profits to multilingual enterprise solutions for large corporations.&lt;br /&gt;&lt;br /&gt;For further information visit &lt;a href="https://typo3.org/typo3-cms/" target="_blank"&gt;typo3.org&lt;/a&gt;.&lt;br /&gt;&lt;br /&gt;TYPO3 CMS is &lt;b&gt;freely available&lt;/b&gt; under the &lt;a href="https://typo3.org/typo3-cms/overview/licenses/" target="_blank"&gt;TYPO3-license (GNU/GPL)&lt;/a&gt;.&lt;br /&gt;&lt;br /&gt;You are using %s %s</source>
+                               <source>TYPO3 CMS is an enterprise-class, Open Source Content Management System, used internationally to build and manage websites of all types, from small sites for non-profits to multilingual enterprise solutions for large corporations.&lt;br /&gt;&lt;br /&gt;For further information visit &lt;a href="https://typo3.org/typo3-cms/" target="_blank" rel="noopener noreferrer"&gt;typo3.org&lt;/a&gt;.&lt;br /&gt;&lt;br /&gt;TYPO3 CMS is &lt;b&gt;freely available&lt;/b&gt; under the &lt;a href="https://typo3.org/typo3-cms/overview/licenses/" target="_blank"&gt;TYPO3-license (GNU/GPL)&lt;/a&gt;.&lt;br /&gt;&lt;br /&gt;You are using %s %s</source>
                        </trans-unit>
                        <trans-unit id="cms_description">
-                               <source>TYPO3 CMS is an enterprise-class, Open Source Content Management System, used internationally to build and manage websites of all types, from small sites for non-profits to multilingual enterprise solutions for large corporations.&lt;br /&gt;&lt;br /&gt;For further information visit &lt;a href="https://typo3.org/typo3-cms/" target="_blank"&gt;typo3.org&lt;/a&gt;.&lt;br /&gt;&lt;br /&gt;TYPO3 CMS is &lt;b&gt;freely available&lt;/b&gt; under the &lt;a href="https://typo3.org/typo3-cms/overview/licenses/" target="_blank"&gt;TYPO3-license (GNU/GPL)&lt;/a&gt;.&lt;br /&gt;&lt;br /&gt;You are using version %s - Copyright %s %s</source>
+                               <source>TYPO3 CMS is an enterprise-class, Open Source Content Management System, used internationally to build and manage websites of all types, from small sites for non-profits to multilingual enterprise solutions for large corporations.&lt;br /&gt;&lt;br /&gt;For further information visit &lt;a href="https://typo3.org/typo3-cms/" target="_blank" rel="noopener noreferrer"&gt;typo3.org&lt;/a&gt;.&lt;br /&gt;&lt;br /&gt;TYPO3 CMS is &lt;b&gt;freely available&lt;/b&gt; under the &lt;a href="https://typo3.org/typo3-cms/overview/licenses/" target="_blank"&gt;TYPO3-license (GNU/GPL)&lt;/a&gt;.&lt;br /&gt;&lt;br /&gt;You are using version %s - Copyright %s %s</source>
                        </trans-unit>
                        <trans-unit id="community_credits">
                                <source>Community Credits</source>
                        </trans-unit>
                        <trans-unit id="information_detail">
-                               <source>Visit &lt;a href="https://typo3.org/community/" target="_blank"&gt;typo3.org/community/&lt;/a&gt; if you want to know why TYPO3 rocks.</source>
+                               <source>Visit &lt;a href="https://typo3.org/community/" target="_blank" rel="noopener noreferrer"&gt;typo3.org/community/&lt;/a&gt; if you want to know why TYPO3 rocks.</source>
                        </trans-unit>
                        <trans-unit id="coredevs">
                                <source>Core Team</source>
                        </trans-unit>
                        <trans-unit id="coredevs_detail">
-                               <source>Visit &lt;a href="https://typo3.org/teams-committees/core-development/" target="_blank"&gt;typo3.org/teams-committees/core-development/&lt;/a&gt; for the complete member list.&lt;br /&gt;&lt;br /&gt;The Git Repository and the ChangeLog can be found &lt;a href="https://forge.typo3.org/projects/typo3cms-core/" target="_blank"&gt;here&lt;/a&gt;.</source>
+                               <source>Visit &lt;a href="https://typo3.org/teams-committees/core-development/" target="_blank" rel="noopener noreferrer"&gt;typo3.org/teams-committees/core-development/&lt;/a&gt; for the complete member list.&lt;br /&gt;&lt;br /&gt;The Git Repository and the ChangeLog can be found &lt;a href="https://forge.typo3.org/projects/typo3cms-core/" target="_blank"&gt;here&lt;/a&gt;.</source>
                        </trans-unit>
                        <trans-unit id="extension_authors">
                                <source>Extension Authors</source>
index 17fdb7b..0012c32 100644 (file)
@@ -6,7 +6,7 @@
         <p>
             {f:translate(key: 'LLL:EXT:about/Resources/Private/Language/Modules/about.xlf:donation_message') -> f:format.raw()}
         </p>
-        <a href="{donationUrl}" class="btn btn-default" title="{f:translate(key:'LLL:EXT:about/Resources/Private/Language/Modules/about.xlf:donation_button')}" target="_blank">
+        <a href="{donationUrl}" class="btn btn-default" title="{f:translate(key:'LLL:EXT:about/Resources/Private/Language/Modules/about.xlf:donation_button')}" target="_blank" rel="noopener noreferrer">
             <f:translate key="LLL:EXT:about/Resources/Private/Language/Modules/about.xlf:donation_button" />
         </a>
     </div>
index 7e11cae..c292ccb 100644 (file)
@@ -539,7 +539,7 @@ class PageLayoutController
             } else {
                 $externalUrl = htmlspecialchars(GeneralUtility::makeInstance(PageRepository::class)->getExtURL($this->pageinfo));
                 if ($externalUrl !== false) {
-                    $externalUrlHtml = '<a href="' . $externalUrl . '" target="_blank" rel="noopener">' . $externalUrl . '</a>';
+                    $externalUrlHtml = '<a href="' . $externalUrl . '" target="_blank" rel="noopener noreferrer">' . $externalUrl . '</a>';
                     $view->assignMultiple([
                         'title' => $this->pageinfo['title'],
                         'message' => sprintf($lang->getLL('pageIsExternalLinkMessage'), $externalUrlHtml),
index bb1cd7c..ad7c8e8 100644 (file)
@@ -3830,29 +3830,29 @@ class BackendUtility
             $warrantyNote = sprintf(
                 $lang->sL('LLL:EXT:backend/Resources/Private/Language/locallang_login.xlf:warranty.by'),
                 htmlspecialchars($loginCopyrightWarrantyProvider),
-                '<a href="' . htmlspecialchars($loginCopyrightWarrantyURL) . '" target="_blank">',
+                '<a href="' . htmlspecialchars($loginCopyrightWarrantyURL) . '" target="_blank" rel="noopener noreferrer">',
                 '</a>'
             );
         } else {
             $warrantyNote = sprintf(
                 $lang->sL('LLL:EXT:backend/Resources/Private/Language/locallang_login.xlf:no.warranty'),
-                '<a href="' . TYPO3_URL_LICENSE . '" target="_blank">',
+                '<a href="' . TYPO3_URL_LICENSE . '" target="_blank" rel="noopener noreferrer">',
                 '</a>'
             );
         }
-        $cNotice = '<a href="' . TYPO3_URL_GENERAL . '" target="_blank">' .
+        $cNotice = '<a href="' . TYPO3_URL_GENERAL . '" target="_blank" rel="noopener noreferrer">' .
             $lang->sL('LLL:EXT:backend/Resources/Private/Language/locallang_login.xlf:typo3.cms') . '</a>. ' .
             $lang->sL('LLL:EXT:backend/Resources/Private/Language/locallang_login.xlf:copyright') . ' &copy; '
             . htmlspecialchars(TYPO3_copyright_year) . ' Kasper Sk&aring;rh&oslash;j. ' .
             $lang->sL('LLL:EXT:backend/Resources/Private/Language/locallang_login.xlf:extension.copyright') . ' ' .
             sprintf(
                 $lang->sL('LLL:EXT:backend/Resources/Private/Language/locallang_login.xlf:details.link'),
-                '<a href="' . TYPO3_URL_GENERAL . '" target="_blank">' . TYPO3_URL_GENERAL . '</a>'
+                '<a href="' . TYPO3_URL_GENERAL . '" target="_blank" rel="noopener noreferrer">' . TYPO3_URL_GENERAL . '</a>'
             ) . ' ' .
             strip_tags($warrantyNote, '<a>') . ' ' .
             sprintf(
                 $lang->sL('LLL:EXT:backend/Resources/Private/Language/locallang_login.xlf:free.software'),
-                '<a href="' . TYPO3_URL_LICENSE . '" target="_blank">',
+                '<a href="' . TYPO3_URL_LICENSE . '" target="_blank" rel="noopener noreferrer">',
                 '</a> '
             )
             . $lang->sL('LLL:EXT:backend/Resources/Private/Language/locallang_login.xlf:keep.notice');
index 0b902ee..ddecaae 100644 (file)
@@ -43,7 +43,7 @@
                                <source>You are using an unsupported browser version.</source>
                        </trans-unit>
                        <trans-unit id="warning.incompatibleBrowserInternetExplorer">
-                               <source>Please install &lt;a href="http://www.microsoft.com/internetexplorer/" target="_blank" /&gt;a more modern browser version&lt;/a&gt;.</source>
+                               <source>Please install &lt;a href="http://www.microsoft.com/internetexplorer/" target="_blank" rel="noopener noreferrer" /&gt;a more modern browser version&lt;/a&gt;.</source>
                        </trans-unit>
                        <trans-unit id="newsheadline">
                                <source>Important Messages</source>
index e028983..c203eaf 100644 (file)
                                         <f:format.raw>{copyright}</f:format.raw>
                                     </p>
                                     <ul class="list-unstyled">
-                                        <li><a href="https://typo3.org" target="_blank" class="t3-login-link-typo3"><i class="fa fa-external-link"></i> TYPO3.org</a></li>
-                                        <li><a href="https://typo3.org/donate/online-donation/" target="_blank" class="t3-login-link-donate"><i class="fa fa-external-link"></i> <f:translate key="login.donate" /></a></li>
+                                        <li><a href="https://typo3.org" target="_blank" rel="noopener noreferrer" class="t3-login-link-typo3"><i class="fa fa-external-link"></i> TYPO3.org</a></li>
+                                        <li><a href="https://typo3.org/donate/online-donation/" target="_blank" rel="noopener noreferrer" class="t3-login-link-donate"><i class="fa fa-external-link"></i> <f:translate key="login.donate" /></a></li>
                                     </ul>
                                 </div>
                             </div>
index d4927c8..45cb819 100644 (file)
@@ -107,7 +107,7 @@ HTML;
                             Once you have found a solution to the problem, help others by contributing to the wiki page.
                         </p>
                         <p>
-                            <a href="$wikiLink" target="_blank">Find a solution for this exception in the TYPO3 wiki.</a>
+                            <a href="$wikiLink" target="_blank" rel="noopener noreferrer">Find a solution for this exception in the TYPO3 wiki.</a>
                         </p>
                     </div>
                 </div>
index 80cb7e0..2d2e2d9 100644 (file)
@@ -52,7 +52,7 @@ GFX:
             description: 'If set, the processor_stripColorProfileCommand is used with all processor image operations by default. See tsRef for setting this parameter explicitly for IMAGE generation.'
         processor_stripColorProfileCommand:
             type: text
-            description: 'String: Specify the command to strip the profile information, which can reduce thumbnail size up to 60KB. Command can differ in IM/GM, IM also know the -strip command. See <a href="http://www.imagemagick.org/Usage/thumbnails/#profiles" target="_blank">imagemagick.org</a> for details'
+            description: 'String: Specify the command to strip the profile information, which can reduce thumbnail size up to 60KB. Command can differ in IM/GM, IM also know the -strip command. See <a href="http://www.imagemagick.org/Usage/thumbnails/#profiles" target="_blank" rel="noopener noreferrer">imagemagick.org</a> for details'
         processor_colorspace:
             type: text
             description: 'String: Specify the colorspace to use. Some ImageMagick versions (like 6.7.0 and above) use the sRGB colorspace, so all images are darker then the original. <br />Possible Values: CMY, CMYK, Gray, HCL, HSB, HSL, HWB, Lab, LCH, LMS, Log, Luv, OHTA, Rec601Luma, Rec601YCbCr, Rec709Luma, Rec709YCbCr, RGB, sRGB, Transparent, XYZ, YCbCr, YCC, YIQ, YCbCr, YUV'
@@ -99,10 +99,10 @@ SYS:
             description: 'Defines a list of IP addresses which will allow development-output to display. The debug() function will use this as a filter. See the function <code>\TYPO3\CMS\Core\Utility\GeneralUtility::cmpIP()</code> for details on syntax. Setting this to blank value will deny all. Setting to "*" will allow all.'
         ddmmyy:
             type: text
-            description: 'Format of Day-Month-Year - see PHP-function <a href="http://php.net/date" target="_blank">date()</a>'
+            description: 'Format of Day-Month-Year - see PHP-function <a href="http://php.net/date" target="_blank" rel="noopener noreferrer">date()</a>'
         hhmm:
             type: text
-            description: 'Format of Hours-Minutes - see PHP-function <a href="http://php.net/date" target="_blank">date()</a>'
+            description: 'Format of Hours-Minutes - see PHP-function <a href="http://php.net/date" target="_blank" rel="noopener noreferrer">date()</a>'
         USdateFormat:
             type: bool
             description: 'If TRUE, dates entered in the TCEforms of the backend will be formatted mm-dd-yyyy'
@@ -129,7 +129,7 @@ SYS:
             description: 'Integer: memory_limit in MB: If more than 16, TYPO3 will try to use ini_set() to set the memory limit of PHP to the value. This works only if the function ini_set() is not disabled by your sysadmin.'
         phpTimeZone:
             type: text
-            description: 'timezone to force for all date() and mktime() functions. A list of supported values can be found at <a href="http://php.net/manual/en/timezones.php" target="_blank">php.net</a>. If this is not set, a valid fallback will be searched for by PHP (php.ini''s <a href="http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone" target="_blank">date.timezone</a> setting, server defaults, etc); and if no fallback is found, the value of "UTC" is used instead.'
+            description: 'timezone to force for all date() and mktime() functions. A list of supported values can be found at <a href="http://php.net/manual/en/timezones.php" target="_blank" rel="noopener noreferrer">php.net</a>. If this is not set, a valid fallback will be searched for by PHP (php.ini''s <a href="http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone" target="_blank" rel="noopener noreferrer">date.timezone</a> setting, server defaults, etc); and if no fallback is found, the value of "UTC" is used instead.'
         systemLog:
             type: bool
             description: 'Enables the deprecated system log functionality. Log data is written to the Logging API.'
@@ -147,7 +147,7 @@ SYS:
             description: 'If TRUE then TYPO3 uses utf-8 to store file names. This allows for accented Latin letters as well as any other non-latin characters like Cyrillic and Chinese.'
         systemLocale:
             type: text
-            description: 'Locale used for certain system related functions, e.g. escaping shell commands. If problems with filenames containing special characters occur, the value of this option is probably wrong. See <a href="http://php.net/manual/en/function.setlocale.php" target="_blank">setlocale()</a>.'
+            description: 'Locale used for certain system related functions, e.g. escaping shell commands. If problems with filenames containing special characters occur, the value of this option is probably wrong. See <a href="http://php.net/manual/en/function.setlocale.php" target="_blank" rel="noopener noreferrer">setlocale()</a>.'
         reverseProxyIP:
             type: list
             description: 'List of IP addresses. If TYPO3 is behind one or more (intransparent) reverse proxies the IP addresses must be added here.'
@@ -188,13 +188,13 @@ SYS:
             description: 'Classname to handle PHP errors. E.g.: TYPO3\CMS\Core\Error\ErrorHandler. This class displays and logs all errors that are registered as [SYS][errorHandlerErrors]. Leave empty to disable error handling. Errors will be logged and can be sent to the optionally installed developer log or to the "syslog" database table. If an error is registered in [SYS][exceptionalErrors] it will be turned into an exception to be handled by the configured exceptionHandler.'
         errorHandlerErrors:
             type: errors
-            description: 'The E_* constant that will be handled by the [SYS][errorHandler]. Not all PHP error types can be handled! Default is 30466 = <code>E_ALL & ~(E_STRICT | E_NOTICE | E_COMPILE_WARNING | E_COMPILE_ERROR | E_CORE_WARNING | E_CORE_ERROR | E_PARSE | E_ERROR)</code> (see <a href="http://php.net/manual/en/errorfunc.constants.php" target="_blank">PHP documentation</a>).'
+            description: 'The E_* constant that will be handled by the [SYS][errorHandler]. Not all PHP error types can be handled! Default is 30466 = <code>E_ALL & ~(E_STRICT | E_NOTICE | E_COMPILE_WARNING | E_COMPILE_ERROR | E_CORE_WARNING | E_CORE_ERROR | E_PARSE | E_ERROR)</code> (see <a href="http://php.net/manual/en/errorfunc.constants.php" target="_blank" rel="noopener noreferrer">PHP documentation</a>).'
         exceptionalErrors:
             type: errors
-            description: 'The E_* constant that will be converted into an exception by the default [SYS][errorHandler]. Default is 4096 = <code>E_ALL & ~(E_STRICT | E_NOTICE | E_COMPILE_WARNING | E_COMPILE_ERROR | E_CORE_WARNING | E_CORE_ERROR | E_PARSE | E_ERROR | E_DEPRECATED | E_USER_DEPRECATED | E_WARNING | E_USER_ERROR | E_USER_NOTICE | E_USER_WARNING)</code> (see <a href="http://php.net/manual/en/errorfunc.constants.php" target="_blank">PHP documentation</a>). E_USER_DEPRECATED is always excluded to avoid exceptions to be thrown for deprecation messages.'
+            description: 'The E_* constant that will be converted into an exception by the default [SYS][errorHandler]. Default is 4096 = <code>E_ALL & ~(E_STRICT | E_NOTICE | E_COMPILE_WARNING | E_COMPILE_ERROR | E_CORE_WARNING | E_CORE_ERROR | E_PARSE | E_ERROR | E_DEPRECATED | E_USER_DEPRECATED | E_WARNING | E_USER_ERROR | E_USER_NOTICE | E_USER_WARNING)</code> (see <a href="http://php.net/manual/en/errorfunc.constants.php" target="_blank rel="noopener noreferrer"">PHP documentation</a>). E_USER_DEPRECATED is always excluded to avoid exceptions to be thrown for deprecation messages.'
         belogErrorReporting:
             type: errors
-            description: 'Configures which PHP errors should be logged to the "syslog" database table (extension: belog). If set to "0" no PHP errors are logged to the sys_log table. Default is 30711 = <code>E_ALL & ~(E_STRICT | E_NOTICE)</code> (see <a href="http://php.net/manual/en/errorfunc.constants.php" target="_blank">PHP documentation</a>).'
+            description: 'Configures which PHP errors should be logged to the "syslog" database table (extension: belog). If set to "0" no PHP errors are logged to the sys_log table. Default is 30711 = <code>E_ALL & ~(E_STRICT | E_NOTICE)</code> (see <a href="http://php.net/manual/en/errorfunc.constants.php" target="_blank" rel="noopener noreferrer">PHP documentation</a>).'
         generateApacheHtaccess:
             type: bool
             description: 'TYPO3 can create <em>.htaccess</em> files which are used by Apache Webserver. They are useful for access protection or performance improvements. Currently <em>.htaccess</em> files in the following directories are created, if they do not exist: <ul><li>typo3temp/compressor/</li></ul>You want to disable this feature, if you are not running Apache or want to use own rulesets.'
@@ -527,7 +527,7 @@ MAIL:
             description: '<em>only with transport=smtp</em>: &lt;server:port> of mailserver to connect to. &lt;port> defaults to "25".'
         transport_smtp_encrypt:
             type: text
-            description: '<em>only with transport=smtp</em>: Connect to the server using the specified transport protocol. Requires openssl library. Usually available: <em>ssl, sslv2, sslv3, tls</em>. Check <a href="http://www.php.net/stream_get_transports" target="_blank">stream_get_transports()</a>.'
+            description: '<em>only with transport=smtp</em>: Connect to the server using the specified transport protocol. Requires openssl library. Usually available: <em>ssl, sslv2, sslv3, tls</em>. Check <a href="http://www.php.net/stream_get_transports" target="_blank rel="noopener noreferrer"">stream_get_transports()</a>.'
         transport_smtp_username:
             type: text
             description: '<em>only with transport=smtp</em>: If your SMTP server requires authentication, enter your username here.'
index 25faafe..2ca155c 100644 (file)
@@ -25,7 +25,7 @@
                             <div class="callout-body">
                                 {message}
                                 <f:if condition="{errorCode} > 0">
-                                    <p>More information regarding this error might be available <a href="{errorCodeUrlPrefix}{errorCode}" target="_blank">online</a>.</p>
+                                    <p>More information regarding this error might be available <a href="{errorCodeUrlPrefix}{errorCode}" target="_blank" rel="noopener noreferrer">online</a>.</p>
                                 </f:if>
                             </div>
                         </div>
index 892b434..f25eec7 100644 (file)
@@ -47,7 +47,7 @@
             <tr class="ter-ext-single-info-manual">
                 <th><f:translate key="extensionList.showAllVersions.manual" /></th>
                 <td>
-                    <a href="https://docs.typo3.org/typo3cms/extensions/{currentVersion.extensionKey}/" target="_blank">
+                    <a href="https://docs.typo3.org/typo3cms/extensions/{currentVersion.extensionKey}/" target="_blank" rel="noopener noreferrer">
                         <f:translate key="extensionList.showAllVersions.readOnline" />
                     </a>
                 </td>
index 7f10db1..4df7234 100644 (file)
@@ -324,8 +324,8 @@ class DocumentationFile
     protected function parseContent(string $rstContent): string
     {
         $content = htmlspecialchars($rstContent);
-        $content = preg_replace('/:issue:`([\d]*)`/', '<a href="https://forge.typo3.org/issues/\\1" target="_blank">\\1</a>', $content);
-        $content = preg_replace('/#([\d]*)/', '#<a href="https://forge.typo3.org/issues/\\1" target="_blank">\\1</a>', $content);
+        $content = preg_replace('/:issue:`([\d]*)`/', '<a href="https://forge.typo3.org/issues/\\1" target="_blank" rel="noopener noreferrer">\\1</a>', $content);
+        $content = preg_replace('/#([\d]*)/', '#<a href="https://forge.typo3.org/issues/\\1" target="_blank" rel="noopener noreferrer">\\1</a>', $content);
         $content = preg_replace('/(\n([=]*)\n(.*)\n([=]*)\n)/', '', $content, 1);
         $content = preg_replace('/.. index::(.*)/', '', $content);
         $content = preg_replace('/.. include::(.*)/', '', $content);
index 7dc2d18..08d4242 100644 (file)
@@ -42,7 +42,7 @@
             <f:then>
                 <div class="card-footer text-muted">
                     You can't use this feature, because your installation is in composer mode.
-                    Guide: <a href="https://docs.typo3.org/m/typo3/reference-coreapi/master/en-us/ApiOverview/Autoloading/Index.html#loading-classes-with-composer-mode" target="_blank">Composer dumpautoload</a>.
+                    Guide: <a href="https://docs.typo3.org/m/typo3/reference-coreapi/master/en-us/ApiOverview/Autoloading/Index.html#loading-classes-with-composer-mode" target="_blank" rel="noopener noreferrer">Composer dumpautoload</a>.
                 </div>
             </f:then>
             <f:else>
index b18bb8d..e3f4403 100644 (file)
@@ -12,7 +12,7 @@
             <f:then>
                 <div class="card-footer text-muted">
                     You can't use this feature, because your installation is in composer mode.
-                    Guide: <a href="https://docs.typo3.org/m/typo3/guide-installation/master/en-us/Upgrade/InstallTheNewSource/Index.html" target="_blank">install the new source</a>.
+                    Guide: <a href="https://docs.typo3.org/m/typo3/guide-installation/master/en-us/Upgrade/InstallTheNewSource/Index.html" target="_blank" rel="noopener noreferrer">install the new source</a>.
                 </div>
             </f:then>
             <f:else>
index 4d1dd3f..b95c4cd 100644 (file)
@@ -6,7 +6,7 @@
     upgrading to new core versions. However, the detection approach - based on static
     code analysis - is limited by concept: false positives/negatives are impossible to avoid.
     Further details can be found at
-    <a style="text-decoration: underline;" target="_blank" rel="noopener" href="https://docs.typo3.org/typo3cms/CoreApiReference/ApiOverview/ExtensionScanner/Index.html">
+    <a style="text-decoration: underline;" target="_blank" rel="noopener noreferrer" href="https://docs.typo3.org/typo3cms/CoreApiReference/ApiOverview/ExtensionScanner/Index.html">
         the official docs.
     </a>
 </p>
index 6880723..fc2b934 100644 (file)
@@ -49,7 +49,7 @@
             <td>###ACTIONLINKOPEN######ELEMENT######ACTIONLINKCLOSE###</td>
             <td>###PATH###</td>
             <td>###HEADLINK###</td>
-            <td><a href="###LINKTARGET###" target="_blank">###LINKTARGET###</a></td>
+            <td><a href="###LINKTARGET###" target="_blank" rel="noopener noreferrer">###LINKTARGET###</a></td>
             <td>###LINKMESSAGE###</td>
             <td>###LASTCHECK###</td>
             <td>###ACTIONLINKOPEN######ACTIONLINKICON######ACTIONLINKCLOSE###</td>
index b0c481a..1746f66 100644 (file)
@@ -2,7 +2,7 @@
 <div id="typo3-topbar">
     <div class="typo3-topbar-container" role="navigation" id="typo3-top-container">
         <div class="typo3-topbar-site">
-            <a class="typo3-topbar-site-logo" href="{logoLink}" target="_blank">
+            <a class="typo3-topbar-site-logo" href="{logoLink}" target="_blank" rel="noopener noreferrer">
                 <img src="{f:uri.resource(path: 'Images/typo3_logo_orange.svg', extensionName: 'backend')}" width="22" height="22" title="TYPO3 Content Management System" alt="">
             </a>
             <span class="typo3-topbar-site-name">{activeWorkspace}</span>