This project is not maintained anymore. You can still view and search the archives.

The target="_blank" vulnerability by example

Hi, I’m Anselm Hannemann, a freelance Frontend Developer and Engineering Manager. You can hire me. I wrote WDRL for 10 years and have a a Market Garden as a side-business.

This link appeared in WDRL 151 on 26.08.2016.

The target="_blank" vulnerability by example

I recently shared an attack abusing target="_blank" on pages where users can add custom URLs. To make clear how bad the attack is, Ben Halpern now shows how he made it work on Instagram (they fixed it pretty fast). . So remember to use rel="noopener" for any URL that you didn’t hard-code into the source.