From 39e875e4f5acf00a92b3ac97561d222402afe2fc Mon Sep 17 00:00:00 2001 From: "Kyle J. McKay" Date: Tue, 16 Mar 2021 14:40:44 -0700 Subject: [PATCH] Markdown.pl: allow target="_blank" rel="nofollow" While other targets could, potentially, represent legitimate issues for concern, opening a new window generally does not since that's typically a readily available option in the user agent anyway when choosing to follow any individual link. While using target="_blank" does not really represent any security issue, it may be an annoyance issue, but that's something for the author to address, not the sanitizer. Although rel="nofollow" is _not_ part of the HTML 4 standard, it may be very useful to avoid "endorsing" sites that are being linked to. Since it does not introduce any risk of scripting issues or other hidden issues, go ahead and allow it too. Signed-off-by: Kyle J. McKay --- Markdown.pl | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Markdown.pl b/Markdown.pl index e953f23..274836b 100755 --- a/Markdown.pl +++ b/Markdown.pl @@ -3451,7 +3451,7 @@ my %impatt; # names of "implied" attributes BEGIN { %univatt = map({$_ => 1} qw(class dir id lang style title xml:lang)); %tagatt = ( - 'a' => { map({$_ => 1} qw(href name)) }, + 'a' => { map({$_ => 1} qw(href name rel target)) }, 'area' => { map({$_ => 1} qw(alt coords href nohref shape)) }, 'basefont' => { map({$_ => 1} qw(color face size)) }, 'br' => { map({$_ => 1} qw(clear)) }, @@ -3805,6 +3805,12 @@ sub _SanitizeAtt { ref($opt{base_prefix}) eq 'CODE' and $_[1] = '"' . escapeXML(&{$opt{base_prefix}}("#")) . '"'; }; + if ($_[4] eq "a") { + $att eq "target" and + return $_[1] =~ /^([\042\047])\s*_blank\s*\1$/io ? 'target="_blank" ' : ""; + $att eq "rel" and + return $_[1] =~ /^([\042\047])\s*nofollow\s*\1$/io ? 'rel="nofollow" ' : ""; + } if ($lcattval{$att}) { return $att."="._SanitizeAttValue(lc($_[1]))." "; } else {