From ba2853caac636d2ae596d74561fa0233567242d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20DECOOL?= <contact@jdecool.fr>
Date: Sun, 12 Feb 2017 11:01:36 +0100
Subject: Prevent target='_blank' vulnerability on dynamic link

---
 classes/pref/prefs.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'classes/pref/prefs.php')

diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php
index 9a7ab55a0..ece9e8078 100644
--- a/classes/pref/prefs.php
+++ b/classes/pref/prefs.php
@@ -776,7 +776,7 @@ class Pref_Prefs extends Handler_Protected {
 				print "<td><label><img src='images/$plugin_icon' alt=''> $name</label></td>";
 				print "<td>" . htmlspecialchars($about[1]);
 				if (@$about[4]) {
-					print " &mdash; <a target=\"_blank\" class=\"visibleLink\"
+					print " &mdash; <a target=\"_blank\" rel=\"noopener noreferrer\" class=\"visibleLink\"
 						href=\"".htmlspecialchars($about[4])."\">".__("more info")."</a>";
 				}
 				print "</td>";
@@ -835,7 +835,7 @@ class Pref_Prefs extends Handler_Protected {
 				print "<td><label for='FPCHK-$name'><img src='images/$plugin_icon' alt=''> $name</label></td>";
 				print "<td><label for='FPCHK-$name'>" . htmlspecialchars($about[1]) . "</label>";
 				if (@$about[4]) {
-					print " &mdash; <a target=\"_blank\" class=\"visibleLink\"
+					print " &mdash; <a target=\"_blank\" rel=\"noopener noreferrer\" class=\"visibleLink\"
 						href=\"".htmlspecialchars($about[4])."\">".__("more info")."</a>";
 				}
 				print "</td>";
-- 
cgit v1.2.3