groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-02-20 08:29:36 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added rel=noopener to target=_blank links to prevent window.opener spoof.

Browse source
This commit is contained in:
Jan Böhmer 2019-11-01 23:49:46 +01:00
parent 7a5a2f65f9
commit 9b481323aa
7 changed files with 10 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

4
templates/Parts/info/_attachments_info.html.twig
View file

@ -24,7 +24,7 @@
<td class="align-middle">{{ attachment.attachmentType.fullPath }}</td>
<td class="align-middle">
{% if attachment.external %}
<a href="{{ attachment.uRL }}" target="_blank" class="link-external">{{ attachment.host }}</a>
<a href="{{ attachment.uRL }}" rel="noopener" target="_blank" class="link-external">{{ attachment.host }}</a>
{% else %}
{{ attachment.filename }}
{% endif %}
@ -42,7 +42,7 @@
<td><div class="btn-group" role="group" aria-label="">
<a {% if attachment_helper.fileExisting(attachment) %}href="{{ attachment|entityURL('file_view') }}"{% endif %} target="_blank"
class="btn btn-secondary {% if not attachment_helper.fileExisting(attachment) %}disabled{% endif %}"
data-no-ajax title="{% trans %}attachment.view{% endtrans %}">
data-no-ajax title="{% trans %}attachment.view{% endtrans %}" rel="noopener">
<i class="fas fa-eye fa-fw"></i>
</a>
<a {% if attachment_helper.fileExisting(attachment) %}href="{{ attachment|entityURL('file_download') }}"{% endif %} data-no-ajax