Merge branch 'openInNewTab' of https://github.com/MxtOUT/AugmentedSteam…

… into MxtOUT-openInNewTab
candela97 · Aug 4, 2019 · 92df392 · 92df392
2 parents 80439a4 + 1fb03c7
commit 92df392
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 2 deletions.
diff --git a/js/content/store.js b/js/content/store.js
@@ -1386,7 +1386,7 @@ class AppPageClass extends StorePageClass {
             let str = Localization.str.viewinclient;
 
             HTML.afterBegin(linkNode,
-                `<a class="btnv6_blue_hoverfade btn_medium es_app_btn ${cls}" target="_blank" href="${url}">
+                `<a class="btnv6_blue_hoverfade btn_medium es_app_btn ${cls}" href="${url}">
                     <span><i class="ico16"></i>&nbsp;&nbsp; ${str}</span></a>`);
         }
 

diff --git a/js/core.js b/js/core.js
@@ -538,6 +538,7 @@ SyncedStorage.defaults = {
     'skip_got_steam': false,
 
     'hideaboutlinks': false,
+    'openinnewtab': true,
     'keepssachecked': false,
     'showemptywishlist': true,
     'showusernotes': true,
@@ -624,8 +625,28 @@ class ExtensionResources {
      * We took the original Regex and aded chrome-extension://, moz-extension:// and steam://
      * First two are needed for linking local resources from extension,
      * steam:// protocol is used by Steam store to open their own client (e.g. when you want to launch a game).
+     * 
+     * The addition of the "target" attribute to the allowed attributes is done in order to be able to open links in a new tab,
+     * while considering security concerns (see hook and https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/)
      */
-    DOMPurify.setConfig({ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp|chrome-extension|moz-extension|steam):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i});
+    let purifyConfig = { ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp|chrome-extension|moz-extension|steam):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i };
+    SyncedStorage.then(() => {
+        if (SyncedStorage.get("openinnewtab")) {
+            purifyConfig.ADD_ATTR = ["target"];
+
+            DOMPurify.addHook("uponSanitizeAttribute", (node, data) => {
+                if (data.attrName === "target") {
+                    if (data.attrValue === "_blank") {
+                        node.setAttribute("rel", "noreferrer noopener");
+                    } else {
+                        data.keepAttr = false;
+                    }
+                }
+            });
+        }
+
+        DOMPurify.setConfig(purifyConfig);
+    }, err => console.error(err));
 })();
 
 class HTML {

diff --git a/localization/de/strings.json b/localization/de/strings.json
@@ -367,6 +367,7 @@
         "saved_note": "Einstellungen gespeichert",
         "regional_hideworld": "Globus-Symbol nicht anzeigen",
         "show_astatslink": "AStats-Link auf Anwendungsseiten anzeigen",
+        "openinnewtab": "Externe Links in einem neuen Fenster öffen",
         "showclient": "Steam-Client-Links anzeigen",
         "guest": "Spiele, die als Besucherpass in meinem Inventar liegen",
         "show_steamchart_info": "Informationen von SteamCharts.com anzeigen",

diff --git a/localization/en/strings.json b/localization/en/strings.json
@@ -388,6 +388,7 @@
         "show_astatslink": "Show AStats link on app pages",
         "show_youtubegameplay": "Show YouTube gameplay videos on app pages",
         "show_youtubereviews": "Show YouTube review videos on app pages",
+        "openinnewtab": "Open external links in a new tab",
         "showclient": "Show Steam Client links",
         "guest": "Items you have a guest pass for",
         "show_steamchart_info": "Show SteamCharts.com info",

diff --git a/options.html b/options.html
@@ -328,6 +328,10 @@ <h2 data-locale-text="options.general">General</h2>
                             <input type="checkbox" id="showdrm" data-setting="showdrm">
                             <label for="showdrm" data-locale-text="options.drm">Show 3rd party DRM warnings</label>
                         </div>
+                        <div class="option">
+                            <input type="checkbox" id="openinnewtab" data-setting="openinnewtab">
+                            <label for="openinnewtab" data-locale-text="options.openinnewtab">Open external links in a new tab</label>
+                        </div>
                         <div class="option">
                             <input type="checkbox" id="showclient" data-setting="showclient">
                             <label for="showclient" data-locale-text="options.showclient">Show Steam Client links</label>