Fixes minor vulnerability when using target="_blank" on links (RSPEC-5148)

2025-11-22 05:42:39 +03:00 · 2021-05-24 16:17:08 -04:00
parent df0e03cd07
commit 7a6f21648a
7 changed files with 12 additions and 11 deletions
--- a/resources/views/components/image-manager-form.blade.php
+++ b/resources/views/components/image-manager-form.blade.php
@@ -7,7 +7,7 @@
          option:ajax-form:url="{{ url('images/' . $image->id) }}">

        <div class="image-manager-viewer">
-            <a href="{{ $image->url }}" target="_blank" class="block">
+            <a href="{{ $image->url }}" target="_blank" rel="noopener" class="block">
                <img src="{{ $image->thumbs['display'] }}"
                     alt="{{ $image->name }}"
                     class="anim fadeIn"
@@ -40,6 +40,7 @@
                    <li>
                        <a href="{{ $page->url }}"
                           target="_blank"
+                           rel="noopener"
                           class="text-neg">{{ $page->name }}</a>
                    </li>
                @endforeach
--- a/resources/views/components/page-picker.blade.php
+++ b/resources/views/components/page-picker.blade.php
@@ -3,7 +3,7 @@
 <div page-picker>
    <div class="input-base">
        <span @if($value) style="display: none" @endif page-picker-default class="text-muted italic">{{ $placeholder }}</span>
-        <a @if(!$value) style="display: none" @endif href="{{ url('/link/' . $value) }}" target="_blank" class="text-page" page-picker-display>#{{$value}}, {{$value ? \BookStack\Entities\Models\Page::find($value)->name : '' }}</a>
+        <a @if(!$value) style="display: none" @endif href="{{ url('/link/' . $value) }}" target="_blank" rel="noopener" class="text-page" page-picker-display>#{{$value}}, {{$value ? \BookStack\Entities\Models\Page::find($value)->name : '' }}</a>
    </div>
    <br>
    <input type="hidden" value="{{$value}}" name="{{$name}}" id="{{$name}}">