marcel/familienarchiv
1
0
Fork 0
Code Issues 124 Pull Requests 2 Actions 3 Packages Projects Releases Wiki Activity

fix(document): add rel=noopener noreferrer to viewer download link (CWE-1022)

Browse Source 
The error-state download link opened with target="_blank" but no rel,
exposing the opener to reverse tabnavbabbing. Add rel="noopener
noreferrer". Same-origin so low severity, but a one-token fix in a file
this issue already touches.

Refs #708

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-06-01 20:13:45 +02:00
committed by marcel
parent c361b3cd45
commit 817835fd6a
2 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
frontend/src/lib/document/DocumentViewer.svelte
View File

@@ -72,6 +72,7 @@ let {
<a
href="/api/documents/{doc.id}/file"
target="_blank"
rel="noopener noreferrer"
class="text-sm underline hover:text-white"
>
{m.doc_download_link()}