Changed text of #143 slightly

cmdsecure · Mar 2, 2015 · 7e48fac · 7e48fac
1 parent bc33660
commit 7e48fac
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/items.js b/items.js
@@ -5080,7 +5080,7 @@ return [
             'de'    : '',
             'zh'    : ''
         },
-        'data'      : '<a href="//evil.com" target="_blank" rel="noreferrer">CLICK</a> // window.opener will be null\r\n<map><area href="//evil.com" target="_blank" rel="noreferrer">CLICK</area></map> // window.opener will be null\r\n\r\n<svg><a xlink:href="//evil.com" rel="noreferrer">CLICK</a></svg> // window.opener still works\r\n<form action="//evil.com" rel="noreferrer"><input type="submit"></form>// window.opener still works\r\n<form id="test" rel="noreferrer"></form><button formtarget="_blank" formaction="//evil.com">CLICKME</button>// window.opener still works\r\n<math href="//evil.com" rel="noreferrer">CLICKME</math>// window.opener still works',
+        'data'      : '<a href="//evil.com" target="_blank" rel="noreferrer">CLICK</a> // window.opener will be null\r\n\r\n<map><area href="//evil.com" target="_blank" rel="noreferrer">CLICK</area></map> // window.opener will be null\r\n\r\n<svg><a xlink:href="//evil.com" rel="noreferrer">CLICK</a></svg> // window.opener still works\r\n\r\n<form action="//evil.com" target="_blank" rel="noreferrer"><input type="submit"></form>// window.opener still works\r\n\r\n<form id="test" rel="noreferrer"></form><button formtarget="_blank" formaction="//evil.com">CLICKME</button>// window.opener still works\r\n\r\n<math href="//evil.com" xlink:show="new" rel="noreferrer">CLICKME</math>// window.opener still works',
         'description' : {
             'en'    : 'In many situations, a developer might want to mitigate tab-nabbing attacks that are using window.opener and its writable location object. To do so, it is recommended to apply external links with a rel="noreferrer" attribute. Depending on how the external links are embedded, the protection might however fail - and window.opener might not be null but still be exposed. The problem here is, that rel attributes only work for <a> and <area>. Links and link-like navigation features can however be embedded in multiple other ways. Further note, that MSIE pretty much ignores the standard and doesn\'t destroy window.opener without further effort.',
             'ja'    : '',