Add attribute rel to default attributes

[jonasgrilleres]

It is recommended to add attribute: rel="noopener, noreferrer" to links opening in a new tab with attribute target="_blank". See tabnabbing.

In the current situation, it is not possible to use target and ref attributes together without overriding allowedAttributes list.

Does it make sense to add rel attribute in the list of the defaults attributes? https://github.com/apostrophecms/sanitize-html/blob/795d079282bc4660e2d0740cf112ac6973aa77b1/index.js#L806

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[danielnitu]

I ended up extending the default list, but it would be good to have rel included by default - or at least know why it's not included.

  const options = {
    allowedAttributes: {
      ...sanitize.defaults.allowedAttributes,
      a: ['href', 'name', 'target', 'rel'],
    },
  };

  const sanitizedHtml = sanitize(dirty, options)

[boutell]

I think a PR to add it would be reasonable. I don’t see a situation where it would be considered harmful but target would not.

On Thu, Oct 5, 2023 at 4:29 AM Daniel Nitu @.***> wrote:

I ended up extending the default list, but it would be good to have rel included by default - or at least know why it's not included.

const options = { allowedAttributes: { ...sanitize.defaults.allowedAttributes, a: ['href', 'name', 'target', 'rel'], }, };

const sanitizedHtml = sanitize(dirty, options)

— Reply to this email directly, view it on GitHub https://github.com/apostrophecms/sanitize-html/issues/584#issuecomment-1748369542, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAH27IALJK33JJMT7UHH5DX5ZVW7AVCNFSM6AAAAAASN2LVQ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBYGM3DSNJUGI . You are receiving this because you are subscribed to this thread.Message ID: @.***>