I’ve just completed building the tribute page. Please click on the link, https://codepen.io/sroma/full/MMOPEZ and give me your feedback.
- Target blank vulnerability
Note: When using target, consider adding rel="noopener noreferrer"
to avoid exploitation of the window.opener API.
TL;DR If window.opener is set, a page can trigger a navigation in the opener regardless of security origin.
People using target=’_blank’ links usually have no idea about this curious fact:
The page we’re linking to gains partial access to the linking page via the window.opener object.
How to fix
Add this to your outgoing links.
Update: FF does not support “noopener” so add this.
Remember, that every time you open a new window via window.open(); you’re also “vulnerable” to this, so always reset the “opener” property
var newWnd = window.open(); newWnd.opener = null;
<a href="https://en.wikipedia.org/wiki/J._K._Rowling " target="_blank">Wikipedia entry</a>
<div>element cannot be a child of the
<ul> <div class="col-md-6 col-md-offset-3">
zero or more
<li>elements, eventually mixed with
<li>element cannot be a child of the
<div class="col-md-6 col-md-offset-3"> <li><b>1965 - </b>Born in Yate, Gloucestershire, England</li>
Permitted parents: An
<menu>element. Though not a conforming usage, the obsolete
<dir>can also be a parent.
Cheers and happy coding