Judge/destroy/make me question the meaning of life.... Tribute page!

Hi there people, please peruse my tribute page to…

The Mighty Newcastle United! (insert facepalm.jpg here)

worryingly enough, this took me 2 and a half hours to do!!! :confounded:

but anywho, have a look, help me out with the design of it (it looks terrible, granted, but i ain’t no designer, just hope my codes okay!)

Hello @paulgoogle,

HTML

  • error

Stray end tag “img”.

From line 9:

    </img>

MDN documentation:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/img

Tag omission
Must have a start tag and must not have an end tag.


  • Target blank vulnerability

Line 83:

<a id="tribute-link" href="https://en.wikipedia.org/wiki/Newcastle_United_F.C." target="_blank" >here</a>

MDN documentation:

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a

Note: When using target, consider adding rel=“noreferrer”
,to avoid exploitation of the window.opener API.

https://mathiasbynens.github.io/rel-noopener/

TL;DR If window.opener is set, a page can trigger a navigation in the opener regardless of security origin.

https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

People using target=’_blank’ links usually have no idea about this curious fact:
The page we’re linking to gains partial access to the linking page via the window.opener object.
The newly opened tab can, say, change the window.opener.location to some phishing page. Or execute some JavaScript on the opener-page on your behalf… Users trust the page that is already opened, they won’t get suspicious.

How to fix
Add this to your outgoing links.

rel="noopener"

Update: FF does not support “noopener” so add this.

rel="noopener noreferrer"

Remember, that every time you open a new window via window.open(); you’re also “vulnerable” to this, so always reset the “opener” property

var newWnd = window.open();
newWnd.opener = null;

cheers and happy codding :slight_smile:

Note:
Tools used:
[w3c markdown checker web service] (https://github.com/validator/validator/wiki/Service-»-Input-»-POST-body)

Video:

2 Likes

That new window security issue is a new one on me! Nice bit of info there :+1: disgusted at myself for the img tag issue though!!! :face_with_symbols_over_mouth::face_with_symbols_over_mouth::joy:

1 Like