Non-tech founder’s guide to choosing the right software development partner Download Ebook
Contact Us
Home>Blog>Save your links from phishers.

Save your links from phishers.

While Pull Request fixing issue with OWASP Tabnabbing is still open... since Feb 16, 2017, our shiny Rails applications are in danger. But wait no longer! Just put code like this:


# frozen_string_literal: true



module ActionView

  module Helpers #:nodoc:

      module UrlHelper

      # Same as #link_to, but also adds rel="nofollow" and rel="noopener" if target="_blank"

      #   rel='noopener' is added to mitigate OWASP Reverse Tabnabbing

      #

      #   external_link_to "External link", "http://www.rubyonrails.org/", target: "_blank"

      #   # => <a href="http://www.rubyonrails.org/" target="_blank" rel="nofollow noopener">External link</a>

      def external_link_to(name = nil, options = nil, html_options = nil, &block)

        html_options, options, name = options, name, yield if block_given?

        html_options ||= {}

        html_options.stringify_keys!



        html_options['rel'.freeze] = "#{html_options['rel'.freeze]} nofollow".lstrip

        html_options['rel'.freeze] = "#{html_options['rel'.freeze]} noopener".lstrip if html_options['target'.freeze] == '_blank'.freeze

        link_to(name, options, html_options)

      end

    end

  end

end

into one of initializers and enjoy bit of safety. This will add new url helper external_link_to to your disposal, that will mitigate Reverse Tabnabbing endangering your application.

Or, if you feel adventurous today... lets patch link_to itself!


# frozen_string_literal: true



module ActionView

  module Helpers #:nodoc:

    module UrlHelper



      def link_to(name = nil, options = nil, html_options = nil, &block)

        html_options, options, name = options, name, block if block_given?

        options ||= {}





        html_options = convert_options_to_data_attributes(options, html_options)



        html_options['rel'.freeze] = "#{html_options['rel'.freeze]} nofollow".lstrip

        html_options['rel'.freeze] = "#{html_options['rel'.freeze]} noopener".lstrip if html_options['target'.freeze] == '_blank'.freeze



        url = url_for(options)

        html_options["href".freeze] ||= url



        content_tag("a".freeze, name || url, html_options, &block)

      end

    end

  end

end

Even better! Now all your existing links with target="_blank" gonna be safe from nasty fishers.

Happy coding and stay safe.

Discover More Reads

Categories:

Real Stories & Real Success

saymore mental health social platform

Read more about saymore

saymore saymore

The Gut Stuff gut health tracking app

Read more about The Gut Stuff

The Gut Stuff The Gut Stuff

Zumi fintech mobile app

Read more about Zumi

Zumi Zumi

OneTribe time-off management system

Read more about OneTribe

OneTribe OneTribe
More case studies

Do you have a tech idea?

Let’s talk!

By submitting this form, you agree with JetRockets’ Privacy Policy

If you prefer email, write to us at hello@jetrockets.com

Schedule a call