From 9b481323aa8b122f8f41448adf07ca2177fe8d02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <jan.h.boehmer@gmx.de>
Date: Fri, 1 Nov 2019 23:49:46 +0100
Subject: [PATCH] Added rel=noopener to target=_blank links to prevent
 window.opener spoof.

---
 assets/ts_src/event_listeners.ts                 | 2 +-
 templates/AdminPages/_attachments.html.twig      | 4 ++--
 templates/Parts/edit/_attachments.html.twig      | 4 ++--
 templates/Parts/info/_attachments_info.html.twig | 4 ++--
 templates/Parts/info/_main_infos.html.twig       | 2 +-
 templates/Parts/info/_order_infos.html.twig      | 2 +-
 templates/helper.twig                            | 2 +-
 7 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/assets/ts_src/event_listeners.ts b/assets/ts_src/event_listeners.ts
index c48de553..39c05abe 100644
--- a/assets/ts_src/event_listeners.ts
+++ b/assets/ts_src/event_listeners.ts
@@ -425,7 +425,7 @@ $(document).on("ajaxUI:start", function () {
             $(this).removeAttr('data-markdown');
 
             //Make all links external
-            $('a', this).addClass('link-external').attr('target', '_blank');
+            $('a', this).addClass('link-external').attr('target', '_blank').attr('rel', 'noopener');
             //Bootstrapify objects
             $('table', this).addClass('table table-hover table-striped table-bordered');
         });
diff --git a/templates/AdminPages/_attachments.html.twig b/templates/AdminPages/_attachments.html.twig
index 9213d5ca..36bc3e24 100644
--- a/templates/AdminPages/_attachments.html.twig
+++ b/templates/AdminPages/_attachments.html.twig
@@ -43,11 +43,11 @@
                             </h6>
                         {% endif %}
                         {% if attach.picture %}
-                            <a href="{{ attach | entityURL('file_view') }}" target="_blank" data-no-ajax>
+                            <a href="{{ attach | entityURL('file_view') }}" target="_blank" rel="noopener" data-no-ajax>
                                 <img class="img-fluid img-thumbnail thumbnail-sm" src="{{ attachment_thumbnail(attach, 'thumbnail_md') }}" alt="{% trans %}attachment.preview.alt{% endtrans %}" />
                             </a>
                         {% else %}
-                            <a href="{{ attach | entityURL('file_view') }}" target="_blank" data-no-ajax class="link-external">{% trans %}attachment.view{% endtrans %}</a>
+                            <a href="{{ attach | entityURL('file_view') }}" rel="noopener" target="_blank" data-no-ajax class="link-external">{% trans %}attachment.view{% endtrans %}</a>
                         {% endif %}
                     {% else %}
                         <br><br>
diff --git a/templates/Parts/edit/_attachments.html.twig b/templates/Parts/edit/_attachments.html.twig
index c6fbfeee..267df7f3 100644
--- a/templates/Parts/edit/_attachments.html.twig
+++ b/templates/Parts/edit/_attachments.html.twig
@@ -41,11 +41,11 @@
                     {% endif %}
 
                     {% if attach.picture %}
-                        <a href="{{ attach | entityURL('file_view') }}" target="_blank" data-no-ajax>
+                        <a href="{{ attach | entityURL('file_view') }}" rel="noopener" target="_blank" data-no-ajax>
                             <img class="img-fluid img-thumbnail thumbnail-sm" src="{{ attachment_thumbnail(attach, 'thumbnail_md') }}" alt="{% trans %}attachment.preview.alt{% endtrans %}" />
                         </a>
                     {% else %}
-                        <a href="{{ attach | entityURL('file_view') }}" target="_blank" data-no-ajax class="link-external">{% trans %}attachment.view{% endtrans %}</a>
+                        <a href="{{ attach | entityURL('file_view') }}" rel="noopener" target="_blank" data-no-ajax class="link-external">{% trans %}attachment.view{% endtrans %}</a>
                     {% endif %}
                 {% else %}
                     <br><br>
diff --git a/templates/Parts/info/_attachments_info.html.twig b/templates/Parts/info/_attachments_info.html.twig
index a3420170..8a608759 100644
--- a/templates/Parts/info/_attachments_info.html.twig
+++ b/templates/Parts/info/_attachments_info.html.twig
@@ -24,7 +24,7 @@
             <td class="align-middle">{{ attachment.attachmentType.fullPath }}</td>
             <td class="align-middle">
                 {% if attachment.external %}
-                    <a href="{{ attachment.uRL }}" target="_blank" class="link-external">{{ attachment.host }}</a>
+                    <a href="{{ attachment.uRL }}" rel="noopener" target="_blank" class="link-external">{{ attachment.host }}</a>
                 {% else %}
                     {{ attachment.filename }}
                 {% endif %}
@@ -42,7 +42,7 @@
             <td><div class="btn-group" role="group" aria-label="">
                     <a {% if attachment_helper.fileExisting(attachment) %}href="{{ attachment|entityURL('file_view') }}"{% endif %} target="_blank"
                        class="btn btn-secondary {% if not attachment_helper.fileExisting(attachment)  %}disabled{% endif %}"
-                       data-no-ajax title="{% trans %}attachment.view{% endtrans %}">
+                       data-no-ajax title="{% trans %}attachment.view{% endtrans %}" rel="noopener">
                         <i class="fas fa-eye fa-fw"></i>
                     </a>
                     <a {% if attachment_helper.fileExisting(attachment)  %}href="{{ attachment|entityURL('file_download') }}"{% endif %} data-no-ajax
diff --git a/templates/Parts/info/_main_infos.html.twig b/templates/Parts/info/_main_infos.html.twig
index 782bedf0..f363c84c 100644
--- a/templates/Parts/info/_main_infos.html.twig
+++ b/templates/Parts/info/_main_infos.html.twig
@@ -15,7 +15,7 @@
             {% endif %}
             {% if part.manufacturerProductUrl %}
                 <small>
-                    <a class="link-external" href="{{ part.manufacturerProductUrl }}" target="_blank">{{ part.manufacturerProductNumber }}</a>
+                    <a class="link-external" href="{{ part.manufacturerProductUrl }}" rel="noopener" target="_blank">{{ part.manufacturerProductNumber }}</a>
                 </small>
             {% else %}
                 <small>{{ part.manufacturerProductNumber }}</small>
diff --git a/templates/Parts/info/_order_infos.html.twig b/templates/Parts/info/_order_infos.html.twig
index 40069346..d99bd055 100644
--- a/templates/Parts/info/_order_infos.html.twig
+++ b/templates/Parts/info/_order_infos.html.twig
@@ -15,7 +15,7 @@
                     <a href="{{ order.supplier | entityURL('list_parts') }}">{{ order.supplier.name }}</a>
                 </td>
                 <td>{% if order.supplierProductUrl is not empty %}
-                        <a href="{{ order.supplierProductUrl }}" target="_blank" class="link-external">{{ order.supplierPartNr }}</a>
+                        <a href="{{ order.supplierProductUrl }}" rel="noopener" target="_blank" class="link-external">{{ order.supplierPartNr }}</a>
                     {% else %}
                         {{ order.supplierPartNr }}
                     {% endif %}
diff --git a/templates/helper.twig b/templates/helper.twig
index c2160233..c769f70e 100644
--- a/templates/helper.twig
+++ b/templates/helper.twig
@@ -36,7 +36,7 @@
 
 {% macro attachment_icon(attachment, attachment_helper, class = "fa-fw fas fa-3x", link = true) %}
     {% if not attachment_helper or attachment_helper.fileExisting(attachment) %}
-        <a target="_blank"  data-no-ajax href="{% if link %}{{ attachment|entityURL('file_view') }}{% endif %}">
+        <a target="_blank"  data-no-ajax rel="noopener" href="{% if link %}{{ attachment|entityURL('file_view') }}{% endif %}">
             {% if attachment.picture %}
                 <img class="hoverpic" src="{{ attachment|entityURL('file_view') }}">
             {% else %}