With GitHub - rails/rails-html-sanitizer, there are a default list of acceptable attributes in html e.g. href. Target is not one in the default set, likely because it can be used to exploit the Window API. However that exploit is preventable, if the rel attribute is present with the value “noreferrer noopener”.
Adding rel & target as acceptable attributes (override the defaults) doesn’t ensure this, so I wondering if the scrubber could become more nuanced? Right now it iterates through each html node and examines the attributes one by one, so it doesn’t seem like the simplest of changes, but it does seem beneficial, the target attribute is used to indicate to browsers to open links in a new tab, rather than switching away from the users current location.