Added rel=noopener to target=_blank links to prevent window.opener spoof.

assets/ts_src/event_listeners.ts

@@ -425,7 +425,7 @@ $(document).on("ajaxUI:start", function () {
             $(this).removeAttr('data-markdown');
 
             //Make all links external
-            $('a', this).addClass('link-external').attr('target', '_blank');
+            $('a', this).addClass('link-external').attr('target', '_blank').attr('rel', 'noopener');
             //Bootstrapify objects
             $('table', this).addClass('table table-hover table-striped table-bordered');
         });

templates/AdminPages/_attachments.html.twig

@@ -43,11 +43,11 @@
                             </h6>
                         {% endif %}
                         {% if attach.picture %}
-                            <a href="{{ attach | entityURL('file_view') }}" target="_blank" data-no-ajax>
+                            <a href="{{ attach | entityURL('file_view') }}" target="_blank" rel="noopener" data-no-ajax>
                                 <img class="img-fluid img-thumbnail thumbnail-sm" src="{{ attachment_thumbnail(attach, 'thumbnail_md') }}" alt="{% trans %}attachment.preview.alt{% endtrans %}" />
                             </a>
                         {% else %}
-                            <a href="{{ attach | entityURL('file_view') }}" target="_blank" data-no-ajax class="link-external">{% trans %}attachment.view{% endtrans %}</a>
+                            <a href="{{ attach | entityURL('file_view') }}" rel="noopener" target="_blank" data-no-ajax class="link-external">{% trans %}attachment.view{% endtrans %}</a>
                         {% endif %}
                     {% else %}
                         <br><br>

templates/Parts/edit/_attachments.html.twig

@@ -41,11 +41,11 @@
                     {% endif %}
 
                     {% if attach.picture %}
-                        <a href="{{ attach | entityURL('file_view') }}" target="_blank" data-no-ajax>
+                        <a href="{{ attach | entityURL('file_view') }}" rel="noopener" target="_blank" data-no-ajax>
                             <img class="img-fluid img-thumbnail thumbnail-sm" src="{{ attachment_thumbnail(attach, 'thumbnail_md') }}" alt="{% trans %}attachment.preview.alt{% endtrans %}" />
                         </a>
                     {% else %}
-                        <a href="{{ attach | entityURL('file_view') }}" target="_blank" data-no-ajax class="link-external">{% trans %}attachment.view{% endtrans %}</a>
+                        <a href="{{ attach | entityURL('file_view') }}" rel="noopener" target="_blank" data-no-ajax class="link-external">{% trans %}attachment.view{% endtrans %}</a>
                     {% endif %}
                 {% else %}
                     <br><br>

templates/Parts/info/_attachments_info.html.twig

@@ -24,7 +24,7 @@
             <td class="align-middle">{{ attachment.attachmentType.fullPath }}</td>
             <td class="align-middle">
                 {% if attachment.external %}
-                    <a href="{{ attachment.uRL }}" target="_blank" class="link-external">{{ attachment.host }}</a>
+                    <a href="{{ attachment.uRL }}" rel="noopener" target="_blank" class="link-external">{{ attachment.host }}</a>
                 {% else %}
                     {{ attachment.filename }}
                 {% endif %}
@@ -42,7 +42,7 @@
             <td><div class="btn-group" role="group" aria-label="">
                     <a {% if attachment_helper.fileExisting(attachment) %}href="{{ attachment|entityURL('file_view') }}"{% endif %} target="_blank"
                        class="btn btn-secondary {% if not attachment_helper.fileExisting(attachment)  %}disabled{% endif %}"
-                       data-no-ajax title="{% trans %}attachment.view{% endtrans %}">
+                       data-no-ajax title="{% trans %}attachment.view{% endtrans %}" rel="noopener">
                         <i class="fas fa-eye fa-fw"></i>
                     </a>
                     <a {% if attachment_helper.fileExisting(attachment)  %}href="{{ attachment|entityURL('file_download') }}"{% endif %} data-no-ajax

templates/Parts/info/_main_infos.html.twig

@@ -15,7 +15,7 @@
             {% endif %}
             {% if part.manufacturerProductUrl %}
                 <small>
-                    <a class="link-external" href="{{ part.manufacturerProductUrl }}" target="_blank">{{ part.manufacturerProductNumber }}</a>
+                    <a class="link-external" href="{{ part.manufacturerProductUrl }}" rel="noopener" target="_blank">{{ part.manufacturerProductNumber }}</a>
                 </small>
             {% else %}
                 <small>{{ part.manufacturerProductNumber }}</small>

templates/Parts/info/_order_infos.html.twig

@@ -15,7 +15,7 @@
                     <a href="{{ order.supplier | entityURL('list_parts') }}">{{ order.supplier.name }}</a>
                 </td>
                 <td>{% if order.supplierProductUrl is not empty %}
-                        <a href="{{ order.supplierProductUrl }}" target="_blank" class="link-external">{{ order.supplierPartNr }}</a>
+                        <a href="{{ order.supplierProductUrl }}" rel="noopener" target="_blank" class="link-external">{{ order.supplierPartNr }}</a>
                     {% else %}
                         {{ order.supplierPartNr }}
                     {% endif %}

templates/helper.twig

@@ -36,7 +36,7 @@
 
 {% macro attachment_icon(attachment, attachment_helper, class = "fa-fw fas fa-3x", link = true) %}
     {% if not attachment_helper or attachment_helper.fileExisting(attachment) %}
-        <a target="_blank"  data-no-ajax href="{% if link %}{{ attachment|entityURL('file_view') }}{% endif %}">
+        <a target="_blank"  data-no-ajax rel="noopener" href="{% if link %}{{ attachment|entityURL('file_view') }}{% endif %}">
             {% if attachment.picture %}
                 <img class="hoverpic" src="{{ attachment|entityURL('file_view') }}">
             {% else %}