From db34b59238846e5ec046a456b4f76649321571d1 Mon Sep 17 00:00:00 2001
From: Markus Staab <markus.staab@redaxo.de>
Date: Thu, 19 Oct 2017 12:16:04 +0200
Subject: Prevent XSS in links which open a new browser window

---
 apps/theming/lib/ThemingDefaults.php       | 2 +-
 apps/theming/tests/ThemingDefaultsTest.php | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'apps/theming')

diff --git a/apps/theming/lib/ThemingDefaults.php b/apps/theming/lib/ThemingDefaults.php
index 6ee546d2630..97e889a2140 100644
--- a/apps/theming/lib/ThemingDefaults.php
+++ b/apps/theming/lib/ThemingDefaults.php
@@ -134,7 +134,7 @@ class ThemingDefaults extends \OC_Defaults {
 	public function getShortFooter() {
 		$slogan = $this->getSlogan();
 		$footer = '<a href="'. $this->getBaseUrl() . '" target="_blank"' .
-			' rel="noreferrer">' .$this->getEntity() . '</a>'.
+			' rel="noreferrer noopener">' .$this->getEntity() . '</a>'.
 			($slogan !== '' ? ' – ' . $slogan : '');
 
 		return $footer;
diff --git a/apps/theming/tests/ThemingDefaultsTest.php b/apps/theming/tests/ThemingDefaultsTest.php
index abd85a612c9..6fbf3a2529d 100644
--- a/apps/theming/tests/ThemingDefaultsTest.php
+++ b/apps/theming/tests/ThemingDefaultsTest.php
@@ -217,7 +217,7 @@ class ThemingDefaultsTest extends TestCase {
 				['theming', 'slogan', $this->defaults->getSlogan(), 'Slogan'],
 			]);
 
-		$this->assertEquals('<a href="url" target="_blank" rel="noreferrer">Name</a> – Slogan', $this->template->getShortFooter());
+		$this->assertEquals('<a href="url" target="_blank" rel="noreferrer noopener">Name</a> – Slogan', $this->template->getShortFooter());
 	}
 
 	public function testGetShortFooterEmptySlogan() {
@@ -230,7 +230,7 @@ class ThemingDefaultsTest extends TestCase {
 				['theming', 'slogan', $this->defaults->getSlogan(), ''],
 			]);
 
-		$this->assertEquals('<a href="url" target="_blank" rel="noreferrer">Name</a>', $this->template->getShortFooter());
+		$this->assertEquals('<a href="url" target="_blank" rel="noreferrer noopener">Name</a>', $this->template->getShortFooter());
 	}
 
 	public function testgetColorPrimaryWithDefault() {
-- 
cgit v1.2.3