mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2026-07-01 11:45:26 +02:00
A malicious user could modify a valid looking link (for example of the editor UI) to point to a malicous site, by using overlays and CSS. Since CSS should stay enabled, we need to make the user aware of possible risks when leaving the HedgeDoc instance, in order to protect them from credential-theft. This commit adds a new interstitial page for external links, that shows the target URL and asks the user, whether they really want to continue. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
41 lines
1.5 KiB
Text
41 lines
1.5 KiB
Text
<!DOCTYPE html>
|
|
<html lang="en">
|
|
|
|
<head>
|
|
<%- include('hedgedoc/head') %>
|
|
<link rel="stylesheet" href="<%- serverURL %>/css/center.css">
|
|
</head>
|
|
|
|
<body>
|
|
<%- include('hedgedoc/header') %>
|
|
<div class="container-fluid text-center">
|
|
<div class="vertical-center-row">
|
|
<h1>
|
|
<% if (valid) { %>
|
|
<%= __('External link') %>
|
|
<% } else { %>
|
|
<%= __('Invalid link') %>
|
|
<% } %>
|
|
</h1>
|
|
<p>
|
|
<%= __('You\'ve clicked a link that points to an external page.') %>
|
|
<br>
|
|
<%= __('The content of that page is unrelated to HedgeDoc. Do not enter your HedgeDoc credentials there.') %>
|
|
</p>
|
|
<% if (valid) { %>
|
|
<p><code class="text-break"><%- targetURL %></code></p>
|
|
<p><%= __('Do you want to continue?') %></p>
|
|
<p>
|
|
<a class="btn btn-primary" href="<%- targetURL %>"><%= __('Continue to external page') %></a>
|
|
<a class="btn btn-default" href="<%- serverURL %>/<%- noteURL %>"><%= __('Back to your note') %></a>
|
|
</p>
|
|
<% } else { %>
|
|
<p class="text-danger"><strong><%= __('The provided link is not a valid URL.') %></strong></p>
|
|
<p>
|
|
<a class="btn btn-default" href="<%- serverURL %>/<%- noteURL %>"><%= __('Back to your note') %></a>
|
|
</p>
|
|
<% } %>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html>
|