target=_blank

target=_blank

de Lucien Stals -
Número de respuestas: 4

Hi there,

I was once a web developer, but sorry to say I've only just discovered this little issue with using target=_blank

Apparently, there is both a security and performance issue related to using this attribute in links as described in this article: https://medium.com/sedeo/how-to-fix-target-blank-a-security-and-performance-issue-in-web-pages-2118eba1ce2f

Obviously, the security issue is a concern, but I'm also thinking about the performance issue. On a Moodle site serving 30,000+ students, and I know many academics use the _blank attribute, this could be impacting our students' experience.

So my question is: does Moodle have any built in functionality for adding the  rel=”noopener noreferrer” tags to mitigate this issue?

I did try googling this and the only "_blank" related post I could find was one from back in 2007 which was a different issue.

FYI, we are using Moodle 3.5.



Promedio de valoraciones:Useful (1)
En respuesta a Lucien Stals

Re: target=_blank

de Dan Marsden -
Imagen de Core developers Imagen de Particularly helpful Moodlers Imagen de Peer reviewers Imagen de Plugin developers Imagen de Plugins guardians Imagen de Testers Imagen de Translators
yes - it's built into htmlpurifier lib in Moodle - bit more info in this post:
https://moodle.org/mod/forum/discuss.php?d=330181
Promedio de valoraciones:Useful (1)
En respuesta a Dan Marsden

Re: target=_blank

de Lucien Stals -
Fantastic :D
So that means it's baked into core now?
It's not a plugin?
Promedio de valoraciones: -
En respuesta a Lucien Stals

Re: target=_blank

de loveneet s -
I am a web security advisor and an expert and i came across this thread by chance and i am really elated to see that you pointed out this issue and talked about it, web security is becoming a major concern these days and we need to spread awareness about it to the masses.

About one year ago, we were announcing an update of the quality checkpoints of our website analysis service. This update was including a new best practice related to hypertext links opening in a new window or tab by using target="_blank" attribute.

Joining Google Chrome, the latest Firefox version now supports the rel="noopener" attribute, which was one of our advised solutions. The right time for us to have a look back on this recommendation we have brought not only for better security but also for web performance.

To sum things up, if you allow your visitors to post links on your website with target="_blank" attribute, you allow an attacker to redirect users clicking such a link to another web page… The issue is that the redirect concerns the initial tab (your web page) , not the newly opened window when clicking the link! And the redirect is done without any warning. It could be used as a very effective phishing method for example.

By default, a web page can actually access to the opener page through the window.opener attribute and modify its location attribute, even if the two web pages are from different domains.

I can see that in this moodle forum this has not been implemented yet on external links. This issue can also safeguard us against malware redirects to another site, I dont know if its the right thread to discuss this but anyways. You can further read more about malware redirect on my blog.
Promedio de valoraciones: -