[Question]: Target "_blank" disapeared on hyperlinks in popups

[xavyeah39]

What is the question? (in English)

Hi,
After upgrading from 3.7.10 to 3.8.0, , I am surprised to notice that with hyperlinks added in several popup fields, the target="_blank" attribute is no longer interpreted in LWC.
Linked pages now opens in the same tab as LWC even if the target="_blank" attribute is clearly specified in the tags (either in the popup tooltips or directly in the value of the field used to display hyperlinks). Anyway, target="_blank" attribute is not present in tags when I analyse source code in the browser console...

Exemple of a field content used to display hyperlinks in Popup :

<a target="_blank" href="https://mydomain.fr/media/photo1.jpg"> Photo 1 </a>
<br> 
<a target="_blank" href="https://mydomain.fr/media/photo2.jpg"> Photo 2 </a> 
<br> 
<a target="_blank" href="https://mydomain.fr/media/photo3.jpg"> Photo 3 </a>

After downgrading to 3.7.10, target="_blank" attribute is back and functional.
Any other similar feddbacks about this ?
Thanks !

Versions, safeguards, check summary etc

Versions :

• Lizmap Web Client : 3.8.0
• Lizmap plugin : 4.3.21
• QGIS Desktop : 3.34.10
• QGIS Server : 3.34.10
• Py-QGIS-Server : 1.8.8
• QGIS Server plugin atlasprint : 3.4.1
• QGIS Server plugin cadastre : 1.20.0
• QGIS Server plugin lizmap_server : 2.10.0
• QGIS Server plugin wfsOutputExtension : 1.8.2

List of safeguards :

• Mode : normal
• Allow parent folder : no
• Prevent other drive : yes
• Prevent PG service : no
• Prevent PG Auth DB : yes
• Force PG user&pass : yes
• Prevent ECW : yes

Check Lizmap plugin

• I have done the step just before in the Lizmap QGIS desktop plugin before opening this ticket. Otherwise, my ticket is not considered valid and might get closed.

Operating system

Debian, Ubuntu

Browsers

Firefox, Chrome

Browsers version

Chromium 121, Firefox 128

Relevant log output

No response

[nworr]

Quick guess, the popup content is "sanitized" to increase security
the DOMpurify library drop the target attribute since [https://developer.chrome.com/docs/lighthouse/best-practices/external-anchors-use-rel-noopener]( it's considered unsafe).

target may be kept by allowing it ? cure53/DOMPurify#317 (comment)

[mdouchin]

I would propose indeed to add target in the allowed attributes. We could implement a specific web component to replace these anchor with target blank in the future.

[Gustry]

We could implement a specific web component to replace these anchor with target blank in the future.

Nice idea as well, a good proposal, with a Javascript magnifier, like on X when clicking on a picture to check if Lizmap is used on these big screens :)

https://twitter.com/PompiersHerault/status/1826339477163503735 :)

[xavyeah39]

Thanks for your feedback !

Yes it would be nice to be able to keep the use of target which is rather appreciated by users to link external content to popups.

[nboisteault]

Thanks for reporting. Fix in progress.
Note that rel="noopener" should be used along with target="_blank".
Ref: https://developer.chrome.com/docs/lighthouse/best-practices/external-anchors-use-rel-noopener

[nboisteault]

Followup: rel="noopener" should only be used for legacy browsers.
Search for target="_blank" implies rel="noopener" behavior in https://developer.mozilla.org/fr/docs/Web/HTML/Element/a#browser_compatibility to know browser compatibility.