add rel attributes to external links (#3736)

* add rel attributes to external links * adds ssn to the sensitive parameters list (#3733) adds ssn to the sensitive parameters list so the value will be replaced with [FILTERED] in the logs * fix app scan issues * fix one last app scan issue * use h helper instead of sanitize_html * add spec * add a few missing rel noopener noreferrer attrs to links * add escape to html links * remove redundant rel attr from link --------- Co-authored-by: Sai Kumar Kotagiri <[email protected]> Co-authored-by: TristanB17 <[email protected]>
ideacrew · May 29, 2024 · d88dd81 · d88dd81
1 parent 4b8a706
commit d88dd81
Show file tree

Hide file tree

Showing 93 changed files with 691 additions and 682 deletions.
diff --git a/app/views/broker_agencies/broker_roles/extended_confirmation.html.erb b/app/views/broker_agencies/broker_roles/extended_confirmation.html.erb
@@ -3,11 +3,11 @@
     <h2>We Received Your Broker Application</h2>
     <p>Now that you’ve registered, we will review your application and confirm that you have:</p>
     <ul>
-      <li>Completed the <a target="_blank" href='https://coverme.inquisiqlms.com/'><%= EnrollRegistry[:enroll_app].setting(:short_name).item %> training</a> provided by <%=EnrollRegistry[:enroll_app].setting(:short_name).item %> Consumer Assistance Center</li>
+      <li>Completed the <a target="_blank" rel='noopener noreferrer' href='https://coverme.inquisiqlms.com/'><%= EnrollRegistry[:enroll_app].setting(:short_name).item %> training</a> provided by <%=EnrollRegistry[:enroll_app].setting(:short_name).item %> Consumer Assistance Center</li>
       <li>Have an active producer license with health authority with the Maine Bureau of Insurance</li>
     </ul>
     <p>If you have met all of the requirements, you’ll get an email from <%= EnrollRegistry[:enroll_app].setting(:short_name).item %> in the next 7-10 business days with a link to set up your <%= EnrollRegistry[:enroll_app].setting(:short_name).item %> password.</p>
     <p>Registration and certification with <%= EnrollRegistry[:enroll_app].setting(:short_name).item %> does not guarantee appointments with carriers. You still need to work with carriers to secure appointments.</p>
     <p>If you have any questions call <%= EnrollRegistry[:enroll_app].setting(:short_name).item %> at <%= EnrollRegistry[:enroll_app].setting(:contact_center_short_number).item %> TTY:  <%=EnrollRegistry[:enroll_app].settings(:contact_center_tty_number).item%></p>
   </div>
-</div>
+</div>
diff --git a/app/views/broker_agencies/quotes/_plan_comparision.html.erb b/app/views/broker_agencies/quotes/_plan_comparision.html.erb
@@ -50,7 +50,7 @@
             <% qhps.each do |qhp|%>
               <th colspan="2">
                 <% if qhp.plan.coverage_kind == "health" && qhp.plan.rx_formulary_url.present? %>
-                  <%= link_to "#{l10n('broker_agencies.quotes.rx_formulary_url')}", qhp.plan.rx_formulary_url, target: "_blank" %>
+                  <%= h(link_to "#{l10n('broker_agencies.quotes.rx_formulary_url')}", qhp.plan.rx_formulary_url, target: "_blank", rel: 'noopener noreferrer') %>
                 <% end %>
               </th>
             <% end %>
@@ -77,6 +77,6 @@
     </table>
   </div>
   <br>
-    <%= link_to "#{l10n('broker_agencies.quotes.export_to_pdf')}", download_pdf_broker_agencies_broker_role_quotes_path(@broker,:plans => params[:plans], quote_id: @quote.id), class: "btn btn-info", target: "_blank" %>
+    <%= h(link_to "#{l10n('broker_agencies.quotes.export_to_pdf')}", download_pdf_broker_agencies_broker_role_quotes_path(@broker,:plans => params[:plans], quote_id: @quote.id), class: "btn btn-info", target: "_blank", rel: 'noopener noreferrer') %>
   <br><br>
 </div>
diff --git a/app/views/broker_agencies/quotes/_plan_comparison_export.html.erb b/app/views/broker_agencies/quotes/_plan_comparison_export.html.erb
@@ -39,7 +39,7 @@
             <% qhps.each do |qhp|%>
               <th colspan="2">
                 <% if qhp.plan.coverage_kind == "health" && qhp.plan.rx_formulary_url.present? %>
-                  <%= link_to "#{l10n('broker_agencies.quotes.rx_formulary_url')}", qhp.plan.rx_formulary_url, target: "_blank" %>
+                  <%= h(link_to "#{l10n('broker_agencies.quotes.rx_formulary_url')}", qhp.plan.rx_formulary_url, target: "_blank", rel: 'noopener noreferrer') %>
                 <% end %>
               </th>
             <% end %>

diff --git a/app/views/employers/employer_attestations/_verify_attestation.html.erb b/app/views/employers/employer_attestations/_verify_attestation.html.erb
@@ -11,7 +11,7 @@
 
         </p>
         <p class="text-right">
-          <button class="btn btn-default"><span class="glyphicons glyphicons-cloud-download"></span><%= link_to 'Download', employers_employer_attestation_authorized_download_path(@document.id) + "?id=#{@employer_profile.id}&content_type=#{@document.format}&filename=#{@document.title.gsub(/[^0-9a-z]/i,'')}&disposition=inline", target: '_blank' %></button>
+          <button class="btn btn-default"><span class="glyphicons glyphicons-cloud-download"></span><%= h(link_to 'Download', employers_employer_attestation_authorized_download_path(@document.id) + "?id=#{@employer_profile.id}&content_type=#{@document.format}&filename=#{@document.title.gsub(/[^0-9a-z]/i,'')}&disposition=inline", target: '_blank', rel: "noopener noreferrer") %></button>
           <button class="btn btn-default" onclick='window.print();return false;'>Print</button>
         </p>
       </div>

diff --git a/app/views/employers/employer_profiles/_employer_invoices_table.html.erb b/app/views/employers/employer_profiles/_employer_invoices_table.html.erb
@@ -17,9 +17,9 @@
       <tr>
         <% @invoices.each do |invoice|%>
         <td>
-          <%= link_to(download_invoice_employers_employer_profile_path(@employer_profile, :invoice_id => invoice.id), :target => "_blank" , :type => "pdf", :disposition =>  "inline") do %>
+          <%= h(link_to(download_invoice_employers_employer_profile_path(@employer_profile, :invoice_id => invoice.id), :target => "_blank",  rel: "noopener noreferrer", :type => "pdf", :disposition =>  "inline") do %>
             <%= invoice_formated_date(invoice.date) %> <i class='fa fa-cloud-download' aria-hidden='true' title='Download' data-toggle='tooltip'></i>
-          <% end %>
+          <% end) %>
         </td>
         <td><%=invoice_coverage_date(invoice.date)%></td>
       <tr/>

diff --git a/app/views/employers/employer_profiles/my_account/_billing.html.erb b/app/views/employers/employer_profiles/my_account/_billing.html.erb
@@ -18,11 +18,11 @@
     <ol class="twenty">
       <li>
         <% if invoice_bill_url_helper %>
-          <%= link_to 'Pay Online', invoice_bill_url_helper, target: "_blank"%> -
+          <%= h(link_to 'Pay Online', invoice_bill_url_helper, target: "_blank", rel: 'noopener noreferrer') %> -
         <% else %>
           Pay Online
         <% end %>
-        <%= link_to 'How to Pay Online', payment_pdf_helper, target: "_blank"%>
+        <%= h(link_to 'How to Pay Online', payment_pdf_helper, target: "_blank", rel: 'noopener noreferrer') %>
       </li>
       <br/>
       <li>Pay by Phone

diff --git a/app/views/employers/employer_profiles/my_account/_employer_welcome.html.slim b/app/views/employers/employer_profiles/my_account/_employer_welcome.html.slim
@@ -57,17 +57,17 @@
           br
         - if individual_market_is_enabled?
           .icon-left-download
-            = link_to "https://dchealthlink.com/sites/default/files/v2/forms/Initial-Employers-Creating-an-Account.pdf", target: '_blank' do
+            = link_to "https://dchealthlink.com/sites/default/files/v2/forms/Initial-Employers-Creating-an-Account.pdf", target: '_blank', rel: 'noopener noreferrer' do
               i.fa.fa-download
               |  Download Step-by-Step Instructions for New Employers
         - else
           .icon-left-download
-            = link_to "https://www.mahealthconnector.org/help-center-answers/how-to-enroll-new-employees-in-health-coverage", target: '_blank' do
+            = link_to "https://www.mahealthconnector.org/help-center-answers/how-to-enroll-new-employees-in-health-coverage", target: '_blank', rel: 'noopener noreferrer' do
               i.fa.fa-download
               |  Download Step-by-Step Instructions for New Employers
       - if individual_market_is_enabled?
         .col-xs-2.pdf-image.full-width
-          = link_to 'https://dchealthlink.com/sites/default/files/v2/forms/Initial-Employers-Creating-an-Account.pdf', target: '_blank' do
+          = link_to 'https://dchealthlink.com/sites/default/files/v2/forms/Initial-Employers-Creating-an-Account.pdf', target: '_blank', rel: 'noopener noreferrer' do
           = image_tag('images/guidanceforsmallbusinessowners_214.jpg', class: 'pull-right')
 
 javascript:

diff --git a/app/views/insured/consumer_roles/ridp_agreement.html.erb b/app/views/insured/consumer_roles/ridp_agreement.html.erb
@@ -32,8 +32,8 @@
           <p>
             <b>We are required by federal law to verify your identity before you continue with your application.</b>
             If you do not want to continue with identity verification through Experian, you can apply by completing and sending us a
-            <a href="https://dchealthlink.com/sites/default/files/v2/forms/DC_Health_Link_Application_for_Health_Coverage_201509.pdf" target="_blank">paper application </a>
-            or going to a <a href="https://dchealthlink.com/dhsservicecenters" target="_blank">Department of Human Services service center </a> to apply in person.
+            <a href="https://dchealthlink.com/sites/default/files/v2/forms/DC_Health_Link_Application_for_Health_Coverage_201509.pdf" target="_blank" rel="noopener noreferrer">paper application </a>
+            or going to a <a href="https://dchealthlink.com/dhsservicecenters" target="_blank" rel="noopener noreferrer">Department of Human Services service center </a> to apply in person.
           </p>
         </div>
       </div>

diff --git a/app/views/insured/employee_roles/_welcome_msg.html.haml b/app/views/insured/employee_roles/_welcome_msg.html.haml
@@ -21,4 +21,4 @@
     %em
       %small
         = t('welcome.employee.notice')
-        = link_to t('welcome.link'), 'https://www.dchealthlink.com/privacy', target: '_blank'
+        = link_to t('welcome.link'), 'https://www.dchealthlink.com/privacy', target: '_blank', rel: "noopener noreferrer"
diff --git a/app/views/insured/employee_roles/privacy.html.erb b/app/views/insured/employee_roles/privacy.html.erb
@@ -5,7 +5,7 @@
   <div class="row">
     <div class="col-xs-12 col-sm-12 col-md-8 col-lg-8">
       <%= l10n("insured.employee_roles.privacy.privacy_info_html", site_short_name: site_short_name) %>
-      <%= link_to l10n(".view_privacy_act_statement"), site_privacy_policy, target: "_blank" %>
+      <%= h(link_to l10n(".view_privacy_act_statement"), site_privacy_policy, target: "_blank", rel: "noopener noreferrer") %>
 
     </div>
   </div>

diff --git a/app/views/insured/families/_moving_fields.html.erb b/app/views/insured/families/_moving_fields.html.erb
@@ -21,7 +21,7 @@
           <%= radio_button_tag :reason, "I had income below 100% of the Federal Poverty Level and was living in a state that had not expanded Medicaid (tool-tip below)", false, id: 'reason_accept2', class: "n-radio zip-check"%>
           <span class="n-radio"></span>
           <span>
-            <%= l10n("insured.moving_fields_had_income_below_of_the_federal_poverty_level") %> <%= link_to("(Use the calculator to see if you qualify)", 'http://www.healthcare.gov/lower-costs', target: :_blank) if individual_market_is_enabled? %>
+            <%= l10n("insured.moving_fields_had_income_below_of_the_federal_poverty_level") %> <%= h(link_to("(Use the calculator to see if you qualify)", 'http://www.healthcare.gov/lower-costs', target: :_blank, rel: "noopener noreferrer")) if individual_market_is_enabled? %>
           </span>
         </label>
       </div>

diff --git a/app/views/insured/families/_out_of_pocket_calculator.html.erb b/app/views/insured/families/_out_of_pocket_calculator.html.erb
@@ -1,7 +1,7 @@
 <div class="row">
 	<div class="col-md-8">
 		<div class="pull-right">
-			<%= link_to "Out of pocket Estimator",Settings.checkbook_services.url,:target => "_blank", class: "btn btn-default" %>
+			<%= h(link_to "Out of pocket Estimator",Settings.checkbook_services.url,:target => "_blank",rel: "noopener noreferrer", class: "btn btn-default") %>
 		</div>
 	</div>
 </div>

diff --git a/app/views/insured/families/_qle_moving_detail.html.erb b/app/views/insured/families/_qle_moving_detail.html.erb
@@ -1,5 +1,5 @@
 <div class="moving_reasons hidden">
-  <h4><%= l10n("insured.families.indicate_following_circumstances_to_you") %>: </h4> <br/> 
+  <h4><%= l10n("insured.families.indicate_following_circumstances_to_you") %>: </h4> <br/>
   <div class = 'moving_radio_btn'>
     <div class="n-radio-group">
       <div class="n-radio-row">
@@ -8,34 +8,34 @@
           <span class = "n-radio"></span>
           <span id="date-change"></span>
         </label>
-      </div>            
+      </div>
       <div class="n-radio-row">
         <label class="n-radio" for="reason_accept1">
           <%= radio_button_tag :reason, "I was living outside the US or in a US territory", false, id: 'reason_accept1', class: "n-radio" %>
             <span class="n-radio"></span>
             <span><%= l10n("insured.families.was_living_outside_US_or_in_US_territory") %></span>
         </label>
-      </div>        
+      </div>
       <div class="n-radio-row">
         <label class="n-radio vertically-aligned-row" for="reason_accept2">
           <%= radio_button_tag :reason, "I had income below 100% of the Federal Poverty Level and was living in a state that had not expanded Medicaid (tool-tip below)", false, id: 'reason_accept2', class: "n-radio" %>
             <span class="n-radio"></span>
             <span>
-              <%= l10n("insured.families.had_income_below_the_federal_poverty_level") %>              
+              <%= l10n("insured.families.had_income_below_the_federal_poverty_level") %>
             </span>
         </label>
-      </div>        
+      </div>
       <div class="n-radio-row">
         <label class="n-radio" for="reason_reject">
           <%= radio_button_tag :reason, "None of the Above", false, id:'reason_reject', class: "n-radio" %>
           <span class="n-radio"></span>
           <span> <%= l10n("none_of_the_above") %>.</span>
         </label>
-      </div>        
+      </div>
       <div class = 'calculator'>
         <br/>
-        <%= l10n("insured.families.tooltip_use_this_calculator_html", link: link_to('www.healthcare.gov/lower-costs/', 'http://www.healthcare.gov/lower-costs/', target: :_blank)) %>
-      </div>        
+        <%= l10n("insured.families.tooltip_use_this_calculator_html", link: link_to('www.healthcare.gov/lower-costs/', 'http://www.healthcare.gov/lower-costs/', target: :_blank, rel: "noopener noreferrer")) %>
+      </div>
       <div class="center">
         <%= link_to l10n('continue').to_s.upcase, 'javascript:;', class: 'btn btn-primary btn-md', id: 'qle_submit_reason' %>
       </div>

diff --git a/app/views/insured/families/documents_index.html.erb b/app/views/insured/families/documents_index.html.erb
@@ -11,7 +11,7 @@
       </h4>
     </div>
     <div class="col-xs-4">
-      <%= link_to l10n("download_tax_documents"), EnrollRegistry[:enroll_app].setting(:prod_tax_info).item, class: "btn btn-primary  pull-right", target: '_blank' if @person.try(:consumer_role).present? %>
+      <%= h(link_to l10n("download_tax_documents"), EnrollRegistry[:enroll_app].setting(:prod_tax_info).item, class: "btn btn-primary  pull-right", target: '_blank', rel: "noopener noreferrer") if @person.try(:consumer_role).present? %>
       <%= link_to l10n("upload_document"), document_upload_insured_families_path, class: "btn btn-primary  pull-right" if @person.try(:consumer_role).present? %>
     </div>
   </div>

diff --git a/app/views/insured/families/inbox.html.erb b/app/views/insured/families/inbox.html.erb
@@ -5,8 +5,8 @@
   <div class="vertically-aligned-row">
     <h1 class="darkblue no-buffer"><%= l10n("messages") %></h1>
     <span class='text-right'>
-      <%= link_to l10n("upload_notices"), upload_notice_form_insured_families_path, class: "btn btn-primary", target: '_blank' if current_user.has_hbx_staff_role? && EnrollRegistry.feature_enabled?(:show_upload_notices)  %>
-      <%= link_to l10n(".download_tax_documents"), tax_info_url, class: "btn btn-primary", target: '_blank' if show_download_tax_documents_button? %>
+      <%= h(link_to l10n("upload_notices"), upload_notice_form_insured_families_path, class: "btn btn-primary", target: '_blank', rel: "noopener noreferrer") if current_user.has_hbx_staff_role? && EnrollRegistry.feature_enabled?(:show_upload_notices)  %>
+      <%= h(link_to l10n(".download_tax_documents"), tax_info_url, class: "btn btn-primary", target: '_blank', rel: "noopener noreferrer") if show_download_tax_documents_button? %>
     </span>
   </div>
   <%= render 'inbox', provider: @person %>

diff --git a/app/views/insured/families/upload_notice_form.html.erb b/app/views/insured/families/upload_notice_form.html.erb
@@ -25,7 +25,7 @@
   <ul>
   <% @notices.each do |notice|%>
       <li>
-        <%= link_to(notice.title, authorized_document_download_path('Person', @person.id, 'documents', notice.id ) + "?content_type=#{notice.format}&filename=#{notice.title.gsub(/[^0-9a-z]/i,'')}.pdf&disposition=inline", class: "sbc_link", :target => "_blank") %>
+        <%= h(link_to(notice.title, authorized_document_download_path('Person', @person.id, 'documents', notice.id ) + "?content_type=#{notice.format}&filename=#{notice.title.gsub(/[^0-9a-z]/i,'')}.pdf&disposition=inline", class: "sbc_link", :target => "_blank", rel: "noopener noreferrer")) %>
       </li>
   <% end %>
     </ul>

diff --git a/app/views/insured/families/verification/_verification.html.erb b/app/views/insured/families/verification/_verification.html.erb
@@ -88,9 +88,9 @@
                           <div class="v-doc col-md-11">
                             <% if vlp_doc.identifier.present? %>
                               <% key = vlp_doc.identifier.split('#').last %>
-                              <%= link_to("/insured/verification_documents/download/#{key}", :target => '_blank', title: "Download", data: {"toggle": "tooltip"}) do %>
-                                <%= vlp_doc.title.titleize %> <i class='fa fa-download fa-lg' aria-hidden='true'></i>"
-                              <% end %>
+                              <%= h(content_tag(:a, href: "/insured/verification_documents/download/#{key}", target: "_blank", rel: "noopener noreferrer", title: "Download", data: {toggle: "tooltip"}) do %>
+                                <%= vlp_doc.title.titleize %> <i class='fa fa-download fa-lg' aria-hidden='true'></i>
+                              <% end) %>
                             <% end %>
                           </div>
                           <div class="v-doc col-md-1">
@@ -121,7 +121,7 @@
     <% end %>
   </div>
   <div class="col-xs-6">
-    <a aria-controls="docs-verification-faq" aria-expanded="false" class="btn btn-default btn-small pull-right" data-toggle=<%= EnrollRegistry.feature_enabled?(:disable_documents_we_accept_list) ? "none" : "collapse" %>  href=<%= EnrollRegistry.feature_enabled?(:disable_documents_we_accept_list) ? ::EnrollRegistry[:enroll_app].setting(:submit_docs_url).item : "#docs-verification-faq" %> role="button" target=<%= EnrollRegistry.feature_enabled?(:disable_documents_we_accept_list) ? "_blank" : "" %> >
+    <a aria-controls="docs-verification-faq" aria-expanded="false" class="btn btn-default btn-small pull-right" data-toggle=<%= EnrollRegistry.feature_enabled?(:disable_documents_we_accept_list) ? "none" : "collapse" %>  href=<%= EnrollRegistry.feature_enabled?(:disable_documents_we_accept_list) ? ::EnrollRegistry[:enroll_app].setting(:submit_docs_url).item : "#docs-verification-faq" %> role="button" rel="noopener noreferrer" target=<%= EnrollRegistry.feature_enabled?(:disable_documents_we_accept_list) ? "_blank" : "" %> >
       <%= l10n("insured.families.verification.documents_FAQ") %>
     </a>
   </div>

diff --git a/app/views/insured/fdsh_ridp_verifications/_outstanding_ridp_documents.html.erb b/app/views/insured/fdsh_ridp_verifications/_outstanding_ridp_documents.html.erb
@@ -91,7 +91,7 @@
 
 <div class="row">
   <div class="col-xs-12">
-    <%= link_to 'Documents FAQ', ::EnrollRegistry[:enroll_app].setting(:submit_docs_url).item, class: "btn btn-default btn-small pull-right", target: '_blank' %>
+    <%= h(link_to 'Documents FAQ', ::EnrollRegistry[:enroll_app].setting(:submit_docs_url).item, class: "btn btn-default btn-small pull-right", target: '_blank', rel: "noopener noreferrer") %>
   </div>
 </div>
 

diff --git a/app/views/insured/interactive_identity_verifications/_outstanding_ridp_documents.html.erb b/app/views/insured/interactive_identity_verifications/_outstanding_ridp_documents.html.erb
@@ -62,9 +62,9 @@
                                   <div class="v-doc col-md-11">
                                     <% if ridp_doc.identifier.present? %>
                                         <% key = ridp_doc.identifier.split('#').last %>
-                                        <%= link_to("/insured/ridp_documents/download/#{key}", title: "Download", data: {"toggle": "tooltip"}, target: '_blank') do %>
-                                          <%= ridp_doc.title.titleize %> <i class='fa fa-download fa-lg' aria-hidden='true'></i>
-                                        <% end %>
+                                      <%= h(content_tag(:a, href: "/insured/ridp_documents/download/#{key}", title: "Download", data: {toggle: "tooltip"}, target: "_blank", rel: "noopener noreferrer") do %>
+                                        <%= ridp_doc.title.titleize %> <i class='fa fa-download fa-lg' aria-hidden='true'></i>
+                                      <% end) %>
                                     <% end %>
                                   </div>
                                   <div class="v-doc col-md-1">
@@ -92,7 +92,7 @@
 <% if ::EnrollRegistry[:enroll_app].setting(:submit_docs_url).item.present? %>
   <div class="row">
     <div class="col-xs-12">
-      <%= link_to 'Documents FAQ', ::EnrollRegistry[:enroll_app].setting(:submit_docs_url).item, class: "btn btn-default btn-small pull-right", target: '_blank' %>
+      <%= h(link_to 'Documents FAQ', ::EnrollRegistry[:enroll_app].setting(:submit_docs_url).item, class: "btn btn-default btn-small pull-right", target: '_blank', rel: 'noopener noreferrer') %>
     </div>
   </div>
 <% end %>