From 9095a99125c3fe60b17ed5f7b027004b7f869c29 Mon Sep 17 00:00:00 2001
From: Fabien Quatravaux <fabien.quatravaux@riseup.net>
Date: Sat, 2 Jan 2021 04:35:05 +0100
Subject: [PATCH] [fix #1467] Make sure target attribute is kept after
 DOMPurify sanitization

---
 src/core/render/index.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/core/render/index.js b/src/core/render/index.js
index 468e281a9..f9a75a09d 100644
--- a/src/core/render/index.js
+++ b/src/core/render/index.js
@@ -330,7 +330,10 @@ export function renderMixin(proto) {
           },
           tokens => {
             html = this.compiler.compile(tokens);
-            html = this.isRemoteUrl ? DOMPurify.sanitize(html) : html;
+            // add "target" attribute to DOMPurify white list to handle external links
+            html = this.isRemoteUrl
+              ? DOMPurify.sanitize(html, { ADD_ATTR: ['target'] })
+              : html;
             callback();
             next();
           }