rspec/rules/S5148/html/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
<a href="http://example.com/dangerous" target="_blank"> <!-- Sensitive -->

<a href="{{variable}}" target="_blank"> <!-- Sensitive -->
----

== Compliant Solution

To prevent pages from abusing ``++window.opener++``, use ``++rel=noopener++`` on ``++<a href=>++`` to force its value to be ``++null++`` on the opened pages.

----
<a href="http://petssocialnetwork.io" target="_blank" rel="noopener"> <!-- Compliant -->
----

== Exceptions

No Issue will be raised when ``++href++`` contains a hardcoded relative url as there it has less chances of being vulnerable. An url is considered hardcoded and relative if it doesn't start with ``++http://++`` or ``++https://++``, and if it does not contain any of the characters {}$()[]

----
<a href="internal.html" target="_blank" > <!-- Compliant -->
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Nightly update 2021-05-11 01:20:07 +00:00			`include::../description.adoc[]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Nightly update 2021-05-11 01:20:07 +00:00			`include::../ask-yourself.adoc[]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Nightly update 2021-05-11 01:20:07 +00:00			`include::../recommended.adoc[]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Sensitive Code Example`

			`----`
Nightly update 2021-05-11 01:20:07 +00:00			`<a href="http://example.com/dangerous" target="_blank"> <!-- Sensitive -->`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Nightly update 2021-05-11 01:20:07 +00:00			`<a href="{{variable}}" target="_blank"> <!-- Sensitive -->`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`

			`== Compliant Solution`

Nightly update 2021-05-11 01:20:07 +00:00			To prevent pages from abusing ``++window.opener++``, use ``++rel=noopener++`` on ``++<a href=>++`` to force its value to be ``++null++`` on the opened pages.

Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`<a href="http://petssocialnetwork.io" target="_blank" rel="noopener"> <!-- Compliant -->`
			`----`

			`== Exceptions`

			No Issue will be raised when ``++href++`` contains a hardcoded relative url as there it has less chances of being vulnerable. An url is considered hardcoded and relative if it doesn't start with ``++http://++`` or ``++https://++``, and if it does not contain any of the characters {}$()[]

			`----`
			`<a href="internal.html" target="_blank" > <!-- Compliant -->`
			`----`

Nightly update 2021-05-11 01:20:07 +00:00			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`