Stray end tag “img”.
From line 9:
Must have a start tag and must not have an end tag.
- Target blank vulnerability
<a id="tribute-link" href="https://en.wikipedia.org/wiki/Newcastle_United_F.C." target="_blank" >here</a>
Note: When using target, consider adding rel=“noreferrer”
,to avoid exploitation of the window.opener API.
TL;DR If window.opener is set, a page can trigger a navigation in the opener regardless of security origin.
People using target=’_blank’ links usually have no idea about this curious fact:
The page we’re linking to gains partial access to the linking page via the window.opener object.
How to fix
Add this to your outgoing links.
Update: FF does not support “noopener” so add this.
Remember, that every time you open a new window via window.open(); you’re also “vulnerable” to this, so always reset the “opener” property
var newWnd = window.open();
newWnd.opener = null;
cheers and happy codding
[w3c markdown checker web service] (https://github.com/validator/validator/wiki/Service-»-Input-»-POST-body)