Target=”_blank” Vulnerability and How to Protect Your Sites

Posted on by Keefr

Markup / HTMLThis exploit is over a year old, but I just now came across it. Messing around with a security plugin for WordPress last week, there was a setting about combatting an exploit with target=”_blank” — something most developers use time and time again to open links to external sites in a new tab or window.

Turns out that hackers have found a way to exploit that as the target=”_blank” has partial access to the linking page via the window.opener object.

Luckily it’s real easy to combat, adding rel="noopener noreferrer" to each external link.

Source: JitBit – Target=”_blank” – the most underestimated vulnerability ever

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Markup / HTML
15 Feb
2018

While this is obviously an exercise in showing off what can be done via offline-only viewing mode in modern HTML5 browsers, it’s a cool thought exercise demonstrating the power of offline / service workers forced focus on the web.

Offline-Only Viewing

email icon
26 Oct
2017

Anyway, Litmus, a great web-based testing suite for HTML email puts out an Email Client Market Share report on a semi-regular basis. It’s interesting to see the current state of things.

Email Client Popularity in 2017

Markup / HTML
22 Feb
2017

This is one I’ve never thought about for, nor was I aware was even talked about, but there’s been talk […]

Considering a New Flexible Heading HTML Tag

01 Dec
2016

I’m often Googling for HTML character entities that I use often — but not to remember their entity. What’s an […]

HTML Entity Crimes

21 May
2016

I’ve had the tab open since late March about Apple making nightly builds of Safari. I downloaded it soon after, […]

Safari Technology Preview

20 May
2016

Great article from A List Apart about utilizing modern-day markup of HTML5 and CSS3 to elevate above endless divs and […]

Semantic CSS