Commit 69589a28 authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

erp5_crm: show attachments having filename only in EmailDocument_viewAttachmentListRenderer.

also add rel="noopener noreferrer" for security.
parent 6511eab7
Pipeline #14862 running with stage
<tal:block tal:define="information_list here/getAttachmentInformationList"> <tal:block tal:define="information_list python: [x for x in here.getAttachmentInformationList() if x['filename'] != x['uid']]">
<ul> <ul>
<li tal:repeat="information information_list"> <li tal:repeat="information information_list">
<a target="_blank" tal:content="information/filename | information/uid" tal:attributes="href python:'%s/getAttachmentData?index:int=%s' % (context.absolute_url(), information['index'])"/> <a target="_blank" rel="noopener noreferrer" tal:content="information/filename | information/uid" tal:attributes="href python:'%s/getAttachmentData?index:int=%s' % (context.absolute_url(), information['index'])"/>
  • To reduce XSS attack vectors, getAttachmentData must always be returned with the Content-Disposition: attachment header.

    Even when the part does not contain a filename (which is not the case currently)

    Instead of using target="_blank", why don't we use the download attribute, which is more user friendly has it does not open a blank tab.

Please register or sign in to reply
(<tal:block tal:content="information/content_type" />) (<tal:block tal:content="information/content_type" />)
</li> </li>
</ul> </ul>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment