fix: Allow target=_blank in anchors (#2536)

theopensystemslab · Dec 6, 2023 · 8ef4c63 · 8ef4c63
1 parent bf8d67f
commit 8ef4c63
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/api.planx.uk/modules/flows/findReplace/controller.ts b/api.planx.uk/modules/flows/findReplace/controller.ts
@@ -26,7 +26,9 @@ export const findAndReplaceSchema = z.object({
     replace: z
       .string()
       .optional()
-      .transform((val) => val && DOMPurify.sanitize(val)),
+      .transform(
+        (val) => val && DOMPurify.sanitize(val, { ADD_ATTR: ["target"] }),
+      ),
   }),
 });
 

diff --git a/editor.planx.uk/src/ui/ReactMarkdownOrHtml.tsx b/editor.planx.uk/src/ui/ReactMarkdownOrHtml.tsx
@@ -69,7 +69,7 @@ export default function ReactMarkdownOrHtml(props: {
       <HTMLRoot
         color={props.textColor}
         dangerouslySetInnerHTML={{
-          __html: DOMPurify.sanitize(incrementHeaders),
+          __html: DOMPurify.sanitize(incrementHeaders, { ADD_ATTR: ["target"] }),
         }}
         id={props.id}
       />

diff --git a/sharedb.planx.uk/server.js b/sharedb.planx.uk/server.js
@@ -63,7 +63,7 @@ function sanitiseOperation(op) {
  */
 function sanitise(input) {
   if ((input && typeof input === "string") || input instanceof String) {
-    return DOMPurify.sanitize(input);
+    return DOMPurify.sanitize(input, { ADD_ATTR: ["target"] });
   } else if ((input && typeof input === "object") || input instanceof Object) {
     return Object.entries(input).reduce((acc, [k, v]) => {
       v = sanitise(v);