Potentially unsafe external link

[Onyx2406]

Description

The issue lies within the 'bulkimportusers.html' file and other files where we're using an external link to open a new tab or window. The problem is that the new page could potentially access the original page's information, posing a security risk. Detected by CodeQL deployed on forked repository.

Steps to Reproduce

1. Open the 'bulkimportusers.html' file, which can be found in the app/views/organization/bulkimport directory.
2. Check out the HTML link element on line 93 that is opening a new tab or window.

Expected Behaviour

Any external link that opens in a new tab or window should be secure and not expose any sensitive data from the original page.

Actual Behaviour

Our external link is not currently using the rel="noopener noreferrer" attribute, which means the new page could access information from our original page.

Settings

• Mifos X version: Develop Branch
• Browser used: Firefox
• OS: Windows 11

Screenshots

References

Mathias Bynens: About rel=noopener
Mozilla Developer Network: HTML Anchor Element
Common Weakness Enumeration: CWE-200
Common Weakness Enumeration: CWE-1022

[godfreykutumela]

Thanks @Onyx2406 @edcable this is potentially dangerous so we should address it as part of the priority security backlog.