More nuanced rules for Rails Sanitizer / Scrubber?

With https://github.com/rails/rails-html-sanitizer/, there are a default list of acceptable attributes in html e.g. href. Target is not one in the default set, likely because it can be used to exploit the Window API. However that exploit is preventable, if the rel attribute is present with the value “noreferrer noopener”.

Adding rel & target as acceptable attributes (override the defaults) doesn’t ensure this, so I wondering if the scrubber could become more nuanced? Right now it iterates through each html node and examines the attributes one by one, so it doesn’t seem like the simplest of changes, but it does seem beneficial, the target attribute is used to indicate to browsers to open links in a new tab, rather than switching away from the users current location.

Thoughts?

This sounds like a really interesting idea! Do you have time to work on it? If so, I’d suggest opening an issue on the Rails github to discuss this with the maintainers. Be sure to mention that you have time to work on it – because Rails is a volunteer-driven project, features are more likely to make it in if they have someone step up to champion them.