Solution within CMSMS for the target="_blank" vulnerability

  Previous article Next article  

You probably have read Alex Jumašev's article: Target="_blank" - the most underestimated vulnerability ever. If not, you should!
Opening a bad link at your site using target="_blank" can give the target website partial access to the browser tab your website is in. It can redirect to a fake page asking to i.e. re-enter your Paypal or Facebook password. This problem is a general HTML issue, not a problem within CMSMS™!

<a href="">Other website</a>
<a href="" target="_blank">Other website</a>

There are few methods to prevent this vulnerability using CMS Made Simple™.

  How to use

1. Don't use target="_blank" in your links

Do I need to explain this more...

<a href="">Other website</a>

2. Add rel="noopener noreferrer" to the links

<a href="" rel="noopener noreferrer" target="_blank">Other website</a>

3. Use a postfilter in CMSMS

In a large website it can be hard to change all links in the content...
This postfilter will automaticly add the rel="noopener noreferrer" tag to all links using target="_blank".

Create a file named postfilter.noopener.php and store it in the CMSMS [root_url]/assets/plugins/ folder.
The content of the file is:

 * -------------------------------------------------------------------------------------------
 * File:     postfilter.noopener.php
 * Type:     postfilter
 * Purpose:  Adding rel="noopener noreferrer" to external links using target blank
 * -------------------------------------------------------------------------------------------

function smarty_postfilter_noopener($tpl_output, $smarty)
  $result = explode(':', $smarty->_current_file);

  if (count($result) > 0)
    $patterns = array('/target\s*=\s*["\']_blank["\']/');
    $replace = 'target="_blank" rel="noopener noreferrer"';
    $tpl_output = preg_replace( $patterns, $replace, $tpl_output );

  return $tpl_output;      

Important note: This method isn't flawless but better than nothing.

Let me know if it works at your website and if I need to make some changes.

Buy Me A Coffee

  Comment Form


Click here to open the form



Buy Me A Coffee

CMS Made Simple - Tutorials, Tips and Tricks - CMSMS

Solution within CMSMS for the target="_blank" vulnerability

  Article optimized for CMSMS 2.x

  Last tested in: CMSMS
  Last updated: 23-06-2018
  Comments: 2

Buy Me A Coffee


Ads help me to help you! Thanks!

Ads help me to help you! Buy products from these advertisers!