2021-05-11 01:20:07 +00:00
include::../description.adoc[]
2021-04-28 16:49:39 +02:00
2021-05-11 01:20:07 +00:00
include::../ask-yourself.adoc[]
2021-04-28 16:49:39 +02:00
2021-05-11 01:20:07 +00:00
include::../recommended.adoc[]
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== Sensitive Code Example
----
2021-05-11 01:20:07 +00:00
<a href="http://example.com/dangerous" target="_blank"> <!-- Sensitive -->
2021-04-28 16:49:39 +02:00
2021-05-11 01:20:07 +00:00
<a href="{{variable}}" target="_blank"> <!-- Sensitive -->
2021-04-28 16:49:39 +02:00
----
== Compliant Solution
2021-05-11 01:20:07 +00:00
To prevent pages from abusing ``++window.opener++``, use ``++rel=noopener++`` on ``++<a href=>++`` to force its value to be ``++null++`` on the opened pages.
2022-02-04 17:28:24 +01:00
[source,html]
2021-04-28 16:49:39 +02:00
----
<a href="http://petssocialnetwork.io" target="_blank" rel="noopener"> <!-- Compliant -->
----
== Exceptions
No Issue will be raised when ``++href++`` contains a hardcoded relative url as there it has less chances of being vulnerable. An url is considered hardcoded and relative if it doesn't start with ``++http://++`` or ``++https://++``, and if it does not contain any of the characters {}$()[]
----
<a href="internal.html" target="_blank" > <!-- Compliant -->
----
2021-05-11 01:20:07 +00:00
include::../see.adoc[]
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
2023-06-22 10:38:01 +02:00
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
