Markdown.pl: allow target="_blank" rel="nofollow"

While other targets could, potentially, represent legitimate
issues for concern, opening a new window generally does not
since that's typically a readily available option in the user
agent anyway when choosing to follow any individual link.

While using target="_blank" does not really represent any
security issue, it may be an annoyance issue, but that's something
for the author to address, not the sanitizer.

Although rel="nofollow" is _not_ part of the HTML 4 standard,
it may be very useful to avoid "endorsing" sites that are being
linked to.  Since it does not introduce any risk of scripting
issues or other hidden issues, go ahead and allow it too.

Signed-off-by: Kyle J. McKay <mackyle@gmail.com>

Markdown.pl

@@ -3451,7 +3451,7 @@ my %impatt;	# names of "implied" attributes
 BEGIN {
     %univatt = map({$_ => 1} qw(class dir id lang style title xml:lang));
     %tagatt = (
-	'a' => { map({$_ => 1} qw(href name)) },
+	'a' => { map({$_ => 1} qw(href name rel target)) },
 	'area' => { map({$_ => 1} qw(alt coords href nohref shape)) },
 	'basefont' => { map({$_ => 1} qw(color face size)) },
 	'br' => { map({$_ => 1} qw(clear)) },
@@ -3805,6 +3805,12 @@ sub _SanitizeAtt {
 	ref($opt{base_prefix}) eq 'CODE' and
 	    $_[1] = '"' . escapeXML(&{$opt{base_prefix}}("#")) . '"';
     };
+    if ($_[4] eq "a") {
+	$att eq "target" and
+	    return $_[1] =~ /^([\042\047])\s*_blank\s*\1$/io ? 'target="_blank" ' : "";
+	$att eq "rel" and
+	    return $_[1] =~ /^([\042\047])\s*nofollow\s*\1$/io ? 'rel="nofollow" ' : "";
+    }
     if ($lcattval{$att}) {
 	return $att."="._SanitizeAttValue(lc($_[1]))." ";
     } else {