From da59493a9051c8e53a8e322186cdb1e9dad74cab Mon Sep 17 00:00:00 2001
From: Olle Jonsson <olle.jonsson@gmail.com>
Date: Sun, 14 Jul 2019 11:47:06 +0200
Subject: [PATCH] Add rel='noopener noreferrer' to links with target=_blank

  - Cater to old Firefox, before 52, with rel=noreferrer as well
    https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/52#HTML
  - See #2960 for more details
---
 app/helpers/rails_admin/application_helper.rb               | 2 +-
 lib/rails_admin/config/fields/types/file_upload.rb          | 4 ++--
 lib/rails_admin/config/fields/types/multiple_file_upload.rb | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/app/helpers/rails_admin/application_helper.rb b/app/helpers/rails_admin/application_helper.rb
index f3232899e6..da873ed885 100644
--- a/app/helpers/rails_admin/application_helper.rb
+++ b/app/helpers/rails_admin/application_helper.rb
@@ -101,7 +101,7 @@ def root_navigation
 
     def static_navigation
       li_stack = RailsAdmin::Config.navigation_static_links.collect do |title, url|
-        content_tag(:li, link_to(title.to_s, url, target: '_blank'))
+        content_tag(:li, link_to(title.to_s, url, target: '_blank', rel: 'noopener noreferrer'))
       end.join
 
       label = RailsAdmin::Config.navigation_static_label || t('admin.misc.navigation_static_label')
diff --git a/lib/rails_admin/config/fields/types/file_upload.rb b/lib/rails_admin/config/fields/types/file_upload.rb
index 0af7c9240d..5f52b62c3e 100644
--- a/lib/rails_admin/config/fields/types/file_upload.rb
+++ b/lib/rails_admin/config/fields/types/file_upload.rb
@@ -38,9 +38,9 @@ class FileUpload < RailsAdmin::Config::Fields::Base
               if image
                 thumb_url = resource_url(thumb_method)
                 image_html = v.image_tag(thumb_url, class: 'img-thumbnail')
-                url != thumb_url ? v.link_to(image_html, url, target: '_blank') : image_html
+                url != thumb_url ? v.link_to(image_html, url, target: '_blank', rel: 'noopener noreferrer') : image_html
               else
-                v.link_to(value, url, target: '_blank')
+                v.link_to(value, url, target: '_blank', rel: 'noopener noreferrer')
               end
             end
           end
diff --git a/lib/rails_admin/config/fields/types/multiple_file_upload.rb b/lib/rails_admin/config/fields/types/multiple_file_upload.rb
index aa7fbb09ec..d7fa540cd2 100644
--- a/lib/rails_admin/config/fields/types/multiple_file_upload.rb
+++ b/lib/rails_admin/config/fields/types/multiple_file_upload.rb
@@ -34,9 +34,9 @@ def initialize(value)
                 if image
                   thumb_url = resource_url(thumb_method)
                   image_html = v.image_tag(thumb_url, class: 'img-thumbnail')
-                  url != thumb_url ? v.link_to(image_html, url, target: '_blank') : image_html
+                  url != thumb_url ? v.link_to(image_html, url, target: '_blank', rel: 'noopener noreferrer') : image_html
                 else
-                  v.link_to(value, url, target: '_blank')
+                  v.link_to(value, url, target: '_blank', rel: 'noopener noreferrer')
                 end
               end
             end