Forums | Mahara Community
Security release relating to opening links in new tab/window
24 March 2016, 13:31
Today we released a security update that may have a big impact on your users, so we want to provide you with a bit more information about why we've made this change. The security issue we're addressing is not unique to Mahara, but can affect any website.
You can open any web link in a new window by making a right-mouse click and specifying that you want to open it in a new window. This method is safe and not affected by the security update.
However, website standards also make it easy for authors to define that a link should be opened in a new window no matter whether a person clicked on it normally or with a right-mouse click. It turns out this feature is unsafe, and can allow malicious sites to hack your own site.
If you want to delve deeper into the technical details, you can read the blog post "On the security implications of window.opener.location.replace()".
That's why we have decided to remove from Mahara the feature of links that open automatically in a new window / tab. With this latest security release, you will no longer be able to use the "Open in a new window" link option in the visual editor or the HTML notation target=_"blank", and it will also be scrubbed out of existing user content and the Mahara code base. Affected links will still work as links, but will no longer automatically open in a new window.
If you wish to open certain links in a new window, you can still do that with a right-mouse click / middle click or on a mobile device with a long-press and then choosing the option.
We recommend you update your Mahara site to the latest security release for the version of Mahara you are using. Updates are available for:
- Mahara 1.10 - Minor point update 1.10.9
- Mahara 15.04 - Minor point update 15.04.6
- Mahara 15.10 - Minor point update 15.10.2
If you are on an older version of Mahara, we recommend you upgrade to one of the supported versions as soon as possible.
The Mahara Release Maintainers