From 8404555ff701840ce9c636f2842e995ea51eeb02 Mon Sep 17 00:00:00 2001
From: Koen Reefman <koen.reefman@aareon.nl>
Date: Fri, 27 Oct 2017 09:35:30 +0000
Subject: [PATCH] VGLD#48467 Bijlagen met content-disposition null of
 "attachment" zijn per definitie veilig wat tabnabbing betreft, deze links
 kunnen dus zorgeloos via de 'onveilige' manier

svn path=/Website/branches/v2017.2/; revision=35834
---
 APPL/Shared/kenmerk_common.inc | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/APPL/Shared/kenmerk_common.inc b/APPL/Shared/kenmerk_common.inc
index 7a39ecade2..f2dad91f8d 100644
--- a/APPL/Shared/kenmerk_common.inc
+++ b/APPL/Shared/kenmerk_common.inc
@@ -107,15 +107,20 @@ function BijlagenButton(pModule, pNiveau, pKey, tmpfolder, pKenmerk_key,
         var filehtmlarr = [];
         for (var file in lijst)
         {
-            if (kdim == 'xxx')
-                var href = protectQS.create(OpenFlexFile(pModule, pNiveau, pKey, pKenmerk_key, lijst[file], { mime_type: "image/png", contentdp: "inline" }));
-            else
-                var href = protectQS.create(OpenFlexFile(pModule, pNiveau, pKey, pKenmerk_key, lijst[file]));
             //var html = "<a href='" + safe.htmlattr(href) + "' target='_new'>" + safe.html(lijst[file]) + "</a>";
-            var html = '<span class="details fldflexM" readonly=1'
-                     + ' onclick=\'FcltMgr.windowopen("' + safe.jsstring(href) + '")\'>' + safe.html(lijst[file]) + '</span>';
-
-           filehtmlarr.push(html);
+            if (kdim == 'xxx')
+            {
+                var href = protectQS.create(OpenFlexFile(pModule, pNiveau, pKey, pKenmerk_key, lijst[file], { mime_type: "image/png", contentdp: "inline" }));
+                var html = '<span class="details fldflexM" readonly=1'
+                         + ' onclick=\'FcltMgr.windowopen("' + safe.jsstring(href) + '")\'>' + safe.html(lijst[file]) + '</span>';
+            }
+            else
+            {
+                var href = protectQS.create(OpenFlexFile(pModule, pNiveau, pKey, pKenmerk_key, lijst[file]));
+                var html = '<span class="details fldflexM" readonly=1'
+                         + ' onclick=\'FcltMgr.windowopen("' + safe.jsstring(href) + '", "File")\'>' + safe.html(lijst[file]) + '</span>';
+            }
+            filehtmlarr.push(html);
         }
         var res = filehtmlarr.join("</br>");;
     }
@@ -1065,7 +1070,7 @@ function listKenmerk(sql, module, key, props)
             if (kdim == 'xxx')
                 var fnclick = "parent.FcltMgr.windowopen('" + protectQS.create(OpenFlexFile(module, niveau, key, kkey, val, { mime_type: "image/png", contentdp: "inline" })) + "')";
             else
-                var fnclick = "parent.FcltMgr.windowopen('" + protectQS.create(OpenFlexFile(module, niveau, key, kkey, val)) + "')";
+                var fnclick = "parent.FcltMgr.windowopen('" + protectQS.create(OpenFlexFile(module, niveau, key, kkey, val)) + "', 'File')";
             kvClick = " onclick='" + safe.htmlattr(fnclick) + "'";
           }
           else if (readonlyfield && val && missing) // Waarschuwen