This is a surprisingly simple reflected XSS on instagram.com. Just a next= URL parameter that is reflected into an href, you can include a javascript: target for the url. However, on-page javascript will rewrite the onclick handler which rewrites it. Middle clicking however will trigger it.