The target="_blank" vulnerability by example
I recently shared an attack abusing
target="_blank" on pages where users can add custom URLs. To make clear how bad the attack is, Ben Halpern now shows how he made it work on Instagram (they fixed it pretty fast). . So remember to use
rel="noopener" for any URL that you didn’t hard-code into the source.