Merge pull request #12380 from susiwen8/target

Fix potential security risk

Merge pull request #12380 from susiwen8/target
Fix potential security risk
7887f27a · Yi Shen · GitHub · 57dd7a3b · 8cd07898 · 7887f27a
4 changed file
--- a/src/chart/sunburst/SunburstView.js
+++ b/src/chart/sunburst/SunburstView.js
@@ -21,6 +21,7 @@ import * as zrUtil from 'zrender/src/core/util';
 import ChartView from '../../view/Chart';
 import SunburstPiece from './SunburstPiece';
 import DataDiffer from '../../data/DataDiffer';
+import {windowOpen} from '../../util/format';

 var ROOT_TO_NODE_ACTION = 'sunburstRootToNode';

@@ -206,7 +207,7 @@ var SunburstView = ChartView.extend({
                        if (link) {
                            var linkTarget = itemModel.get('target', true)
                                || '_blank';
-                            window.open(link, linkTarget);
+                            windowOpen(link, linkTarget);
                        }
                    }
                    targetFound = true;

--- a/src/chart/treemap/TreemapView.js
+++ b/src/chart/treemap/TreemapView.js
@@ -28,6 +28,7 @@ import BoundingRect from 'zrender/src/core/BoundingRect';
 import * as matrix from 'zrender/src/core/matrix';
 import * as animationUtil from '../../util/animation';
 import makeStyleMapper from '../../model/mixin/makeStyleMapper';
+import {windowOpen} from '../../util/format';

 var bind = zrUtil.bind;
 var Group = graphic.Group;
@@ -544,7 +545,7 @@ export default echarts.extendChartView({
                    var itemModel = node.hostTree.data.getItemModel(node.dataIndex);
                    var link = itemModel.get('link', true);
                    var linkTarget = itemModel.get('target', true) || 'blank';
-                    link && window.open(link, linkTarget);
+                    link && windowOpen(link, linkTarget);
                }
            }


--- a/src/component/title.js
+++ b/src/component/title.js
@@ -21,6 +21,7 @@ import * as zrUtil from 'zrender/src/core/util';
 import * as echarts from '../echarts';
 import * as graphic from '../util/graphic';
 import {getLayoutRect} from '../util/layout';
+import {windowOpen} from '../util/format';

 // Model
 echarts.extendComponentModel({
@@ -143,12 +144,12 @@ echarts.extendComponentView({

        if (link) {
            textEl.on('click', function () {
-                window.open(link, '_' + titleModel.get('target'));
+                windowOpen(link, '_' + titleModel.get('target'));
            });
        }
        if (sublink) {
            subTextEl.on('click', function () {
-                window.open(sublink, '_' + titleModel.get('subtarget'));
+                windowOpen(link, '_' + titleModel.get('subtarget'));
            });
        }


--- a/src/util/format.js
+++ b/src/util/format.js
@@ -23,7 +23,7 @@ import * as numberUtil from './number';
 // import Text from 'zrender/src/graphic/Text';

 /**
- * 每三位默认加,格式化
+ * add commas after every three numbers
 * @param {string|number} x
 * @return {string}
 */
@@ -275,3 +275,19 @@ export function getTextRect(
        text, font, textAlign, textVerticalAlign, textPadding, textLineHeight, rich, truncate
    );
 }
+
+/**
+ * open new tab
+ * @param {string} link url
+ * @param {string} target blank or self
+ */
+export function windowOpen(link, target) {
+    if (target === '_blank' || target === 'blank') {
+        var blank = window.open();
+        blank.opener = null;
+        blank.location = link;
+    }
+    else {
+        window.open(link, target);
+    }
+}