I've discovered a new kind of attack: target="_blank".
It means that the new website can redirect the initial window to a phishing page, that looks like the real XWiki, but actually ask for the credentials...
Apparently, this vulnerability is very common and badly known...
Some explanation: https://dev.to/phishing
XWiki is vulnerable to this. I have created a new page with this link:
which is the syntax we suggest in our Help Guide.
When you click on it, the website dev.to is open in a new window, but in the same time, the first window is going to https://dev.to/phishing.
Fortunately, preventing this is easy. All we need to do is to add rel="noopener noreferrer" as an attribute of every link that already have target="_blank".
This could be done in our rendering system and also in the HTMLCleaner.