This link appeared in WDRL 151 on .
The target="_blank" vulnerability by example
I recently shared an attack abusing target="_blank"
on pages where users can add custom URLs. To make clear how bad the attack is, Ben Halpern now shows how he made it work on Instagram (they fixed it pretty fast). . So remember to use rel="noopener"
for any URL that you didn’t hard-code into the source.