Hi all,
I’ve just completed building the tribute page. Please click on the link, https://codepen.io/sroma/full/MMOPEZ and give me your feedback.
Hi @Roma,
- Target blank vulnerability
MDN documentation:
<a>: The Anchor element - HTML: HyperText Markup Language | MDN
Note: When using target, consider adding rel=“noopener noreferrer”
to avoid exploitation of the window.opener API.
TL;DR If window.opener is set, a page can trigger a navigation in the opener regardless of security origin.
Target="_blank" - the most underestimated vulnerability ever
People using target=‘_blank’ links usually have no idea about this curious fact:
The page we’re linking to gains partial access to the linking page via the window.opener object.
The newly opened tab can, say, change the window.opener.location to some phishing page. Or execute some JavaScript on the opener-page on your behalf… Users trust the page that is already opened, they won’t get suspicious.
How to fix
Add this to your outgoing links.
rel="noopener"
Update: FF does not support “noopener” so add this.
rel="noopener noreferrer"
Remember, that every time you open a new window via window.open(); you’re also “vulnerable” to this, so always reset the “opener” property
var newWnd = window.open();
newWnd.opener = null;
<a href="https://en.wikipedia.org/wiki/J._K._Rowling " target="_blank">Wikipedia entry</a>
HTML inspector:
- The
<div>
element cannot be a child of the<ul>
element.
<ul>
<div class="col-md-6 col-md-offset-3">
MDN documentation:
<ul>: The Unordered List element - HTML: HyperText Markup Language | MDN
Permitted content
zero or more<li>
elements, eventually mixed with<ol>
and<ul>
elements.
- The
<li>
element cannot be a child of the<div>
element.
<div class="col-md-6 col-md-offset-3">
<li><b>1965 - </b>Born in Yate, Gloucestershire, England</li>
MDN documentation:
<li>: The List Item element - HTML: HyperText Markup Language | MDN
Permitted parents: An
<ul>
,<ol>
, or<menu>
element. Though not a conforming usage, the obsolete<dir>
can also be a parent.
Cheers and happy coding