admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

VGLD#48467 Bijlagen met content-disposition null of "attachment" zijn per definitie veilig wat tabnabbing betreft, deze links kunnen dus zorgeloos via de 'onveilige' manier

Browse Source 
svn path=/Website/branches/v2017.2/; revision=35834
This commit is contained in:
Koen Reefman
2017-10-27 09:35:30 +00:00
parent a941e063e4
commit 8404555ff7
1 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
APPL/Shared/kenmerk_common.inc
View File

@@ -107,14 +107,19 @@ function BijlagenButton(pModule, pNiveau, pKey, tmpfolder, pKenmerk_key,
var filehtmlarr = [];
for (var file in lijst)
{
if (kdim == 'xxx')
var href = protectQS.create(OpenFlexFile(pModule, pNiveau, pKey, pKenmerk_key, lijst[file], { mime_type: "image/png", contentdp: "inline" }));
else
var href = protectQS.create(OpenFlexFile(pModule, pNiveau, pKey, pKenmerk_key, lijst[file]));
//var html = "<a href='" + safe.htmlattr(href) + "' target='_new'>" + safe.html(lijst[file]) + "</a>";
if (kdim == 'xxx')
{
var href = protectQS.create(OpenFlexFile(pModule, pNiveau, pKey, pKenmerk_key, lijst[file], { mime_type: "image/png", contentdp: "inline" }));
var html = '<span class="details fldflexM" readonly=1'
+ ' onclick=\'FcltMgr.windowopen("' + safe.jsstring(href) + '")\'>' + safe.html(lijst[file]) + '</span>';
}
else
{
var href = protectQS.create(OpenFlexFile(pModule, pNiveau, pKey, pKenmerk_key, lijst[file]));
var html = '<span class="details fldflexM" readonly=1'
+ ' onclick=\'FcltMgr.windowopen("' + safe.jsstring(href) + '", "File")\'>' + safe.html(lijst[file]) + '</span>';
}
filehtmlarr.push(html);
}
var res = filehtmlarr.join("</br>");;
@@ -1065,7 +1070,7 @@ function listKenmerk(sql, module, key, props)
if (kdim == 'xxx')
var fnclick = "parent.FcltMgr.windowopen('" + protectQS.create(OpenFlexFile(module, niveau, key, kkey, val, { mime_type: "image/png", contentdp: "inline" })) + "')";
else
var fnclick = "parent.FcltMgr.windowopen('" + protectQS.create(OpenFlexFile(module, niveau, key, kkey, val)) + "')";
var fnclick = "parent.FcltMgr.windowopen('" + protectQS.create(OpenFlexFile(module, niveau, key, kkey, val)) + "', 'File')";
kvClick = " onclick='" + safe.htmlattr(fnclick) + "'";
}
else if (readonlyfield && val && missing) // Waarschuwen