Skip to content

fix(admin-tools): add noopener to new-tab card links#268

Open
praneeth622 wants to merge 1 commit into
openmrs:mainfrom
praneeth622:fix/admin-tools-card-link-rel-noopener
Open

fix(admin-tools): add noopener to new-tab card links#268
praneeth622 wants to merge 1 commit into
openmrs:mainfrom
praneeth622:fix/admin-tools-card-link-rel-noopener

Conversation

@praneeth622
Copy link
Copy Markdown

@praneeth622 praneeth622 commented Apr 20, 2026

Requirements

  • This PR has a title that briefly describes the work done including the ticket number. If there is a ticket, make sure your PR title includes a conventional commit label. See existing PR titles for inspiration.
  • My work is based on designs, which are linked or shown either in the Jira ticket or the description below. (See also: Styleguide)
  • My work includes tests or is validated by existing tests.

Summary

The dashboard LinkCard opens its viewLink in a new tab (target="_blank") but sets rel="norefferer" — a typo of noreferrer that browsers silently ignore, and noopener isn't present at all. That leaves the opened page able to reach window.opener (classic tabnabbing). Replaced the rel value with rel="noopener noreferrer".

The same copy-pasted typo also appears in packages/esm-admin-openconceptlab-app/src/admin-ocl-card-link.component.tsx:11 and can be fixed in a follow-up PR.

Screenshots

N/A — the change is a single HTML attribute on an anchor; no visual diff.

Related Issue

None filed; spotted during a casual review.

Other

Verified with yarn turbo typescript test locally: all 6 tasks (3 typescript + 3 test) succeed.

@praneeth622
fix(admin-tools): add noopener to new-tab card links
da78d16 
Replaces the misspelled rel="norefferer" on the dashboard LinkCard with
rel="noopener noreferrer". Without noopener, target="_blank" exposes the
opened page's window.opener to the parent (tabnabbing), and the typo
meant the browser never recognised the noreferrer hint either.
Copilot AI review requested due to automatic review settings April 20, 2026 11:11
Copilot AI reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a security-related typo in the system admin dashboard LinkCard anchor attributes to prevent reverse tabnabbing when opening links in a new tab.

Changes:

  • Replaces rel="norefferer" (typo) with rel="noopener noreferrer" on the LinkCard anchor that uses target="_blank".

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@praneeth622