[wp-trac] [WordPress Trac] #64400: Automatically add rel="noopener" to all target="_blank" links in content
WordPress Trac
noreply at wordpress.org
Thu Dec 11 08:23:04 UTC 2025
#64400: Automatically add rel="noopener" to all target="_blank" links in content
-------------------------------------------+-----------------------------
Reporter: iflairwebtechnologies | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Keywords: needs-patch
Focuses: performance, coding-standards |
-------------------------------------------+-----------------------------
Opening links in a new tab using **target="_blank"** without
**rel="noopener"** exposes websites to reverse tabnabbing. This
vulnerability allows a newly opened tab to redirect or manipulate the
parent window via **window.opener**.
While some editors add **noopener**, many content sources do not:
- Block Editor raw HTML
- Widgets
- Shortcodes
- Comments
- Meta fields
- Plugin output
- Menu items
This proposal automatically injects** rel="noopener"** into all links
containing **target="_blank"**.
The patch:
- Finds **<a>** tags with **target="_blank"**
- Adds **rel="noopener"** if missing
- Appends noopener to existing rel values
- Runs across multiple filters (**the_content**, widgets, comments)
- Ensures consistent sanitization and security
This is a small, backward-compatible change that aligns WordPress Core
with modern security standards.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64400>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list