Make sure to read this post before raising a thread here:
Hey SonarSource Community!
False-positives happen , as do false-negatives, and we’re eager to fix them. We are thrilled when our users report problems, so we can make our products better.
Then tell us:
What language is this for? JavaScript
Which rule? RSPEC-5148
Why do you believe it’s a false-positive/false-negative? adding a windowFeatures string with noopener,noreferrer triggers the rule, even the MDN says that it’s valid. Additionally, setting the window.opener property to null as specified by the reference links in the rule info does not work either.
Are you using
SonarCloud? Yes
SonarQube - which version?
SonarLint - which IDE/version?
in connected mode with SonarQube or SonarCloud?
How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
const target = window.open('https://sonarcloud.io', 'noopener,noreferrer');
target.opener = null;
eric.morand
September 13, 2024, 12:05pm
4
Dear @Taylor_Ackley , thanks a lot for your report.
Can you share with us the link to the MDN documentation that you mentioned?
Thanks in advance,
Eric.
Here is the MDN link where it says the features string should be csv for multiple values.
The open() method of the Window interface loads a specified resource into a new or existing browsing context (that is, a tab, a window, or an iframe) under a specified name.
I do see though that setting noreferrer also implies noopener as well, so perhaps that’s what is going on.
At any rate, I would think setting window.opener to null would override everything else as mentioned in the links in the rule info
eric.morand
September 17, 2024, 12:23pm
6
Actually, I think the issue may come from the fact that your code pass the window features as second parameter instead of third.
open()
open(url)
open(url, target)
open(url, target, windowFeatures)
Can you please check my theory?
1 Like
Thanks, Eric. I’ll check that out.
HI Eric, it looks like your theory is correct and I was incorrect.
The rule is not triggered with either of these conditions:
sonarTest() {
const myWindow = window.open('https:/someurl.com', null, 'noopener,noreferrer');
}
sonarTest2() {
const myWindow = window.open('https://someurl.com', 'someWindowName');
myWindow.opener = null;
}
Thanks for your response and pointing out the error with the signature.
3 Likes
Hello @Taylor_Ackley ,
Thanks a lot for checking and the confirmation. I’m glad your issue is solved - and I actually learned something about window.open.
Eric.
1 Like
system
October 4, 2024, 8:23am
13
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
