Added rel=noopener to target=_blank links to prevent window.opener spoof.

2025-07-13 20:04:34 +02:00 · 2019-11-01 23:49:46 +01:00 · 2019-11-01 23:49:46 +01:00 · 9b481323aa
commit 9b481323aa
parent 7a5a2f65f9
7 changed files with 10 additions and 10 deletions
--- a/templates/AdminPages/_attachments.html.twig
+++ b/templates/AdminPages/_attachments.html.twig
@ -43,11 +43,11 @@
                            </h6>
                        {% endif %}
                        {% if attach.picture %}
-                            <a href="{{ attach | entityURL('file_view') }}" target="_blank" data-no-ajax>
+                            <a href="{{ attach | entityURL('file_view') }}" target="_blank" rel="noopener" data-no-ajax>
                                <img class="img-fluid img-thumbnail thumbnail-sm" src="{{ attachment_thumbnail(attach, 'thumbnail_md') }}" alt="{% trans %}attachment.preview.alt{% endtrans %}" />
                            </a>
                        {% else %}
-                            <a href="{{ attach | entityURL('file_view') }}" target="_blank" data-no-ajax class="link-external">{% trans %}attachment.view{% endtrans %}</a>
+                            <a href="{{ attach | entityURL('file_view') }}" rel="noopener" target="_blank" data-no-ajax class="link-external">{% trans %}attachment.view{% endtrans %}</a>
                        {% endif %}
                    {% else %}
                        <br><br>