Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
The link dialog in the text editor exposes the ability to open a link in a new window.
Since #2549077: Allow the "Limit allowed HTML tags" filter to also restrict HTML attributes, and only allow a small whitelist of attributes by default that option does not work anymore as the "target" attribute is not whitelisted.
Proposed resolution
Whitelist the target attribute.
Remaining tasks
Patch, Review, Commit
User interface changes
None.
API changes
None.
Data model changes
None.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | regression_open_in_new_window-2578957-2.patch | 2.7 KB | duaelfr |
Comments
Comment #2
duaelfrAs we now only allow whitelisted tags and attributes, we have to use the plugins' allowedContent to be sure that the functionnalities they expose are not filtered on save.
Comment #3
duaelfrComment #4
fabianx commentedAssigning to Wim for review
Comment #5
wim leersI will definitely review this, but not right now, on the eve of RC1. This is a bugfix, and should therefore be possible to do during the RC phase.
Comment #6
duaelfrThat has been magically fixed by #2579979: Allow contrib to alter EditorImageDialog/EditorImageDialog and have custom attributes be stored
I'm not even sure they know that ;)
Commit hash if you want to try yourself: d8a5cf811e2846a4c2ade067bd3c5daa60f91bc5
Comment #7
wim leersThis actually is not yet fixed; it's only being masked by a bug.
See #2585173: [regression] "Allowed HTML tags" setting corrupted upon accessing Text Format configuration UI, comments 12 through 17.
Comment #8
wim leersAnd now it's fixed because it's gone: #2590403: Remove "Open in new window" checkbox from EditorLinkDialog — Was: "Consider whitelisting <a>'s target attribute in the Standard install profile".