51 lines
1.2 KiB
Plaintext
51 lines
1.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
[source,html]
|
|
----
|
|
<a href="http://example.com/dangerous" target="_blank"> <!-- Sensitive -->
|
|
|
|
<a href="{{variable}}" target="_blank"> <!-- Sensitive -->
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
To prevent pages from abusing ``++window.opener++``, use ``++rel=noopener++`` on ``++<a href=>++`` to force its value to be ``++null++`` on the opened pages.
|
|
|
|
[source,html]
|
|
----
|
|
<a href="http://petssocialnetwork.io" target="_blank" rel="noopener">
|
|
----
|
|
|
|
== Exceptions
|
|
|
|
No Issue will be raised when ``++href++`` contains a hardcoded relative url as there it has less chances of being vulnerable. An url is considered hardcoded and relative if it doesn't start with ``++http://++`` or ``++https://++``, and if it does not contain any of the characters {}$()[]
|
|
|
|
[source,html]
|
|
----
|
|
<a href="internal.html" target="_blank" >
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|