Opened 17 months ago
Closed 15 months ago
#59856 closed defect (bug) (duplicate)
target=_blank without noopener security issue in wp-admin/edit-form-advanced.php (and others)
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | General | Keywords: | close |
| Focuses: | Cc: |
Description
Hi Team,
We noticed some use of target=_blank without noopener in some of the php files, should this be considered a security hole?
Some instances:
wp-admin/edit-form-advanced.php: ' <a target="_blank" href="%1$s">%2$s</a>',
wp-admin/edit-form-advanced.php: ' <a target="_blank" href="%1$s">%2$s</a>',
wp-admin/edit-form-advanced.php: ' <a target="_blank" href="%1$s">%2$s</a>',
wp-admin/edit-form-advanced.php: ' <a target="_blank" href="%1$s">%2$s</a>',
Why we think this might be an issue: https://medium.com/sedeo/how-to-fix-target-blank-a-security-and-performance-issue-in-web-pages-2118eba1ce2f
Change History (3)
#2
@
15 months ago
- Keywords close added
Taking into account https://core.trac.wordpress.org/ticket/53843#comment:6, this likely won't need changes anymore and should be set to wontfix.
#3
@
15 months ago
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
I'll consider this a duplicate of #37941, which proposed editing any links using target="_blank" that did not already have noopener.
Those four post preview links in edit-form-advanced.php hopefully would be safe even with an old, unsupported browser because their linked pages are on the same site.
related: #37941, #53843