Paragon Initiative Enterprises: Incomplete fix for #181225 (target=_blank vulnerability)

ID H1:226104
Type hackerone
Reporter cablej
Modified 2018-04-20T18:07:09



I believe the fix for #181225 is incomplete in the rules for Airship wysihtml parser rules.

At, the 'target' parameter for links is allowed to be anything, while there are no forced 'rel' attributes. Additionally, sets 'rel' to only 'nofollow'.

This could be exploited by a user who posts a link with 'target=_blank', who can then change the URL of the opening page. To fix, add 'rel="noopener noreferrer"' to the parser rules.