Opened 3 days ago
Closed 3 days ago
#64400 closed enhancement (invalid)
Automatically add rel="noopener" to all target="_blank" links in content
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | trunk |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description
Opening links in a new tab using target="_blank" without rel="noopener" exposes websites to reverse tabnabbing. This vulnerability allows a newly opened tab to redirect or manipulate the parent window via window.opener.
While some editors add noopener, many content sources do not:
- Block Editor raw HTML
- Widgets
- Shortcodes
- Comments
- Meta fields
- Plugin output
- Menu items
This proposal automatically injects rel="noopener" into all links containing target="_blank".
The patch:
- Finds <a> tags with target="_blank"
- Adds rel="noopener" if missing
- Appends noopener to existing rel values
- Runs across multiple filters (the_content, widgets, comments)
- Ensures consistent sanitization and security
This is a small, backward-compatible change that aligns WordPress Core with modern security standards.
Change History (1)
Note: See
TracTickets for help on using
tickets.
Hello @iflairwebtechnologies, welcome to WordPress Trac!
Thanks for the suggestion but adding the
noopenerrelationship is no longer required since it's the default behaviour in all recent browsers. See #53843 for more details.