Koha/koha-tmpl/intranet-tmpl/prog/en/modules/acqui
Jonathan Druart 6c1b39b4cb Bug 16095: Remove target="_blank" when a link refer to an external link
If you click on a link that opens a new tab/window to another site, that tab
has access to the original window through JavaScript. The browsing context is
related, even if the domains are totally different.

The tab retains access to the original window's object via window.opener, even
if you navigate to another page or domain, in the new or original window.
Access to the Window object means the new window can use Window.location to
open a different URL in the original window, perfect for phishing attacks.

Depending on the site's Same-Origin Policy settings, the new window may have
access to other parts of the original window's DOM as well.

Any  'A HREF' that contains a target of of '_blank' or '_new' or a fixed name
is vulnerable. Previous security best practice often suggested creating a random
fixed name for an unpredictable namespace - that won't help with this problem!
Targets of '_self' and '_parent' are safe.

We do not use _new (at first glance) but several _blank. Some are used
to refer internal url, we do not need to update or remove them. Others
are used to satisfy OPACURLOpenInNewWindow, in these case, we should add
the rel="noreferrer" attribute to the a tags.
In other cases, we can simply remove them and let the users discover
that a mouse has more than one button (we are in 2016, they can do it!)

Signed-off-by: Chris <chrisc@catalyst.net.nz>

Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-03-21 20:44:52 +00:00
..
csv
tables Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
acqui-home.tt Bug 15285: Fix conflict with the treetable plugin 2016-02-24 00:02:50 +00:00
addorder.tt Bug 15858: Use Font Awesome icons in dialog alert for addorder.tt 2016-02-24 03:13:12 +00:00
addorderiso2709.tt Bug 15084: Replace C4::Budgets::GetCurrencies with Koha::Acquisition::Currencies->search 2016-03-03 20:39:01 +00:00
ajax.tt
basket.tt Bug 15950: Use Font Awesome icons for acquisitions basket close confirmation 2016-03-03 22:56:43 +00:00
basketgroup.tt Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
basketheader.tt
booksellers.tt Bug 16036 [Follow-up] Making basket actions buttons 2016-03-18 07:07:12 +00:00
cancelorder.tt Bug 15951: Use Font Awesome icons for acquisitions order cancellation confirmation 2016-03-03 22:55:24 +00:00
histsearch.tt Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
invoice-files.tt Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
invoice.tt Bug 16089: (Follow up) Display currency symbol properly 2016-03-21 16:05:51 +00:00
invoices.tt
lateorders.tt Bug 15927 - Remove use of <tr class="highlight"> for alternating row colors 2016-03-02 22:07:13 +00:00
modordernotes.tt Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
neworderbiblio.tt Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
neworderempty.tt Bug 15084: Replace C4::Budgets::GetCurrencies with Koha::Acquisition::Currencies->search 2016-03-03 20:39:01 +00:00
neworderempty_duplicate.tt
newordersubscription.tt Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
newordersuggestion.tt Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
ordered.tt Bug 15927 - Remove use of <tr class="highlight"> for alternating row colors 2016-03-02 22:07:13 +00:00
orderreceive.tt Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
parcel.tt Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
parcels.tt Bug 15927 - Remove use of <tr class="highlight"> for alternating row colors 2016-03-02 22:07:13 +00:00
spent.tt Bug 15927 - Remove use of <tr class="highlight"> for alternating row colors 2016-03-02 22:07:13 +00:00
supplier.tt Bug 16095: Remove target="_blank" when a link refer to an external link 2016-03-21 20:44:52 +00:00
transferorder.tt Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00
uncertainprice.tt
z3950_search.tt Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues 2016-02-11 19:39:53 +00:00