erp5_core: domsugar automatically patch the _blank security hole

6f9680cb · Romain Courteaud · 7e54bbcb · 6f9680cb
Commit 6f9680cb authored Oct 07, 2021 by Romain Courteaud
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 0 deletions

product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/domsugar.js.js ...re/SkinTemplateItem/portal_skins/erp5_core/domsugar.js.js +10 -0

No files found.
--- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/domsugar.js.js
+++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/domsugar.js.js
@@ -130,6 +130,16 @@
        }
      }
    }
+    if ((el.tagName === 'A') &&
+        (props.target === '_blank')) {
+      // Fix security hole with `noopener`
+      if (!el.relList.contains('noopener')) {
+        el.relList.add('noopener');
+      }
+      if (!el.relList.contains('noreferrer')) {
+        el.relList.add('noreferrer');
+      }
+    }
    if (children) {
      appendChildren(el, children);
    }