From f91e8f359b0f226478e500b1aedeb2a4ff4de2c5 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Tue, 22 Sep 2020 13:35:27 -0700
Subject: [PATCH] Window open security fix.

---
 amt-wsman-0.2.0.js    | 3 ++-
 amt-wsman-ws-0.2.0.js | 6 +++---
 index.html            | 4 ++--
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/amt-wsman-0.2.0.js b/amt-wsman-0.2.0.js
index 8ca6538..bcf17c1 100644
--- a/amt-wsman-0.2.0.js
+++ b/amt-wsman-0.2.0.js
@@ -124,7 +124,8 @@ var WsmanStackCreateService = function (host, port, user, pass, tls, extra) {
             if (!body) return null;
             if (body.childNodes.length > 0) {
                 t = body.childNodes[0].localName;
-                if (t.indexOf('_OUTPUT') == t.length - 7) { t = t.substring(0, t.length - 7); }
+                var x = t.indexOf('_OUTPUT');
+                if ((x != -1) && (x == (t.length - 7))) { t = t.substring(0, t.length - 7); }
                 r.Header['Method'] = t;
                 try {
                     r.Body = _ParseWsmanRec(body.childNodes[0]);
diff --git a/amt-wsman-ws-0.2.0.js b/amt-wsman-ws-0.2.0.js
index e4cd425..7f41ae0 100644
--- a/amt-wsman-ws-0.2.0.js
+++ b/amt-wsman-ws-0.2.0.js
@@ -57,6 +57,7 @@ var CreateWsmanComm = function (host, port, user, pass, tls) {
     obj.PerformAjaxEx = function (postdata, callback, tag, url, action) {
         if (obj.FailAllError != 0) { obj.gotNextMessagesError({ status: obj.FailAllError }, 'error', null, [postdata, callback, tag, url, action]); return; }
         if (!postdata) postdata = '';
+        if (urlvars && urlvars['wsmantrace']) { console.log('WSMAN-SEND(' + postdata.length + '): ' + postdata); }
         //console.log('SEND: ' + postdata); // DEBUG
 
         // We are in a websocket relay environment 
@@ -203,11 +204,10 @@ var CreateWsmanComm = function (host, port, user, pass, tls) {
     // Websocket relay specific private method
     function _ProcessHttpResponse(header, data) {
         //obj.Debug('_ProcessHttpResponse: ' + header.Directive[1]);
+        if (urlvars && urlvars['wsmantrace']) { console.log('WSMAN-RECV(' + data.length + '): ' + data); }
 
         var s = parseInt(header.Directive[1]);
-        if (isNaN(s)) {
-            s = 602;
-        }
+        if (isNaN(s)) { s = 602; }
         if (s == 401 && ++(obj.authcounter) < 3) {
             obj.challengeParams = obj.parseDigest(header['www-authenticate']); // Set the digest parameters, after this, the socket will close and we will auto-retry
             if (obj.challengeParams['qop'] != null) {
diff --git a/index.html b/index.html
index 431e227..da19106 100644
--- a/index.html
+++ b/index.html
@@ -10916,10 +10916,10 @@
             if (xxdialogMode) return;
             haltEvent(e);
             // ###BEGIN###{Mode-Firmware}
-            var newWindow = window.open('/amt-storage/' + handle, '_blank');
+            var newWindow = window.open('/amt-storage/' + handle, '_blank', 'noopener,noreferrer');
             // ###END###{Mode-Firmware}
             // ###BEGIN###{!Mode-Firmware}
-            var newWindow = window.open('http://' + wsstack.comm.host + ':' + wsstack.comm.port + '/amt-storage/' + handle, '_blank');
+            var newWindow = window.open('http://' + wsstack.comm.host + ':' + wsstack.comm.port + '/amt-storage/' + handle, '_blank', 'noopener,noreferrer');
             // ###END###{!Mode-Firmware}
             newWindow.opener = null;
             newWindow.focus();