Allow target attributes in v-safe-html
DOMPurify strips target
attribute due to the window.opener
vulnerability, and recommends to implement it on the consumer end if necessary.
Related issue - https://github.com/cure53/DOMPurify/issues/317
Proposal
- Allow
target
attribute by default - Add
afterSanitizeAttributes
hook - Check if it uses
_blank
as value and if the anchor node has arel
attribute with proper values:noopener
&noreferer