github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-15 12:42:02 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

[security] target="_blank" without rel="noopener" #102

New Issue
Closed
opened 2025-11-02 03:08:57 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-02 03:08:57 -06:00
Owner
Copy Link

Originally created by @denji on GitHub (Nov 30, 2016).

https://github.com/go-gitea/gitea/blob/bad1bc6/models/repo.go#L502

If you have links to another origin, you should use rel="noopener", especially if they open in a new tab/window.

<a href="http://example.com" target="_blank" rel="noopener">
   Example site
</a>

Without this, the new page can access your window object via window.opener. Thankfully the origin security model of the web prevents it reading your page, but no-thankfully some legacy APIs mean it can navigate your page to a different URL using window.opener.location = newURL.

Refs

Originally created by @denji on GitHub (Nov 30, 2016). https://github.com/go-gitea/gitea/blob/bad1bc6/models/repo.go#L502 If you have links to another origin, you should use `rel="noopener"`, especially if they open in a new tab/window. ```html <a href="http://example.com" target="_blank" rel="noopener"> Example site </a> ``` Without this, the new page can access your window object via window.opener. Thankfully the origin security model of the web prevents it reading your page, but no-thankfully some legacy APIs mean it can navigate your page to a different URL using `window.opener.location = newURL`. Refs --- * https://mathiasbynens.github.io/rel-noopener/ * https://jakearchibald.com/2016/performance-benefits-of-rel-noopener/ * https://sites.google.com/site/bughunteruniversity/nonvuln/phishing-with-window-opener * https://github.com/danielstjules/blankshield * https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/ * https://dev.to/ben/the-targetblank-vulnerability-by-example * https://github.com/cure53/H5SC#html5-security-cheatsheet * https://github.com/cure53/DOMPurify
GiteaMirror added the type/bugtopic/security labels 2025-11-02 03:08:57 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label topic/security type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#102
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?