search

mozilla / bleach

Bleach is an allowed-list-based HTML sanitizing library that escapes or strips markup and attributes
https://bleach.readthedocs.io/en/latest/
Other
2.65k stars 253 forks source link

Possible to only allow target="_blank" but no other values? #684

Closed ThiefMaster closed 11 months ago

ThiefMaster commented 1 year ago

Is there a way to allow <a target="_blank" ....> but no other targets? My usecase is that people sometimes don't know what to use, and if you put target="blank" or similar, then it'll set the window name and two links with the same wrong target would open in the same new tab/window instead of separate ones.

willkg commented 1 year ago

Can you provide a test case so I know specifically what you're asking about?

ThiefMaster commented 1 year ago 
<a href="https://google.com" target="_blank">test</a>
<a href="https://google.com" target="foo">test 2</a>
<a href="https://google.com">test 3</a>

->

<a href="https://google.com" target="_blank">test</a>
<a href="https://google.com">test 2</a>
<a href="https://google.com">test 3</a>
willkg commented 11 months ago

There's a target_blank callback that you can use which will enforce a target="_blank". Pretty sure that's not what you want, but you can write your own callback and base it on the target_blank code.

https://github.com/mozilla/bleach/blob/6f0aaaaa98ff355a1207e7c1c77d3eb0c063a9b1/bleach/callbacks.py#L22-L32

Hope that helps!