added noopener and noref to a tag to prevent manipulation of window

Santandersecurityresearch / asvs

A simple web app that helps developers understand the ASVS requirements.

MIT License

154 stars 39 forks source link

added noopener and noref to a tag to prevent manipulation of window #52

Closed danielcuthbert closed 3 years ago

danielcuthbert commented 3 years ago

the a tags were missing 'noopener' and 'noreferer'. A page opened with 'target="_blank"' can access the window object of the origin page. This means it can manipulate the 'window.opener' property, which could redirect the origin page to a malicious URL. This is called reverse tabnabbing.

lgtm-com[bot] commented 3 years ago

This pull request fixes 1 alert when merging 84cfc37a0ccd7cdf31f45b332e5b7f905e3f0aea into e72ca49a187f90a6addbb0c882e91318a1212c24 - view on LGTM.com

fixed alerts:

1 for Potentially unsafe external link