Remove rel and target from outgoing links (#891)

<!-- Please read
https://github.com/SableClient/Sable/blob/dev/CONTRIBUTING.md before
submitting your pull request -->

### Description

<!-- Please include a summary of the change. Please also include
relevant motivation and context. List any dependencies that are required
for this change. -->

Removes rel and target attributes from outgoing links

#### Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] This change requires a documentation update

### Checklist:

- [ ] My code follows the style guidelines of this project
- [ ] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] My changes generate no new warnings

### AI disclosure:

- [ ] Partially AI assisted (clarify which code was AI assisted and
briefly explain what it does).
- [ ] Fully AI generated (explain what all the generated code does in
moderate detail).
<!-- Write any explanation required here, but do not generate the
explanation using AI!! You must prove you understand what the code in
this PR does. -->

Author: 7w1

.changeset/fix-remove-rel-target-outgoing-links.md

@@ -0,0 +1,5 @@
+---
+default: patch
+---
+
+Remove target and rel attributes from outgoing html links.

src/app/components/editor/output.ts

@@ -82,7 +82,7 @@ const elementToCustomHtml = (
     case BlockType.Link:
       return testMatrixTo(node.href)
         ? sanitizeText(node.href)
-        : `<a href="${encodeURI(node.href)}" target="_blank" rel="noreferrer noopener">${children}</a>`;
+        : `<a href="${encodeURI(node.href)}">${children}</a>`;
     case BlockType.Command:
       return `/${sanitizeText(node.command)}`;
     default:

src/app/plugins/markdown/markdownToHtml.test.ts

@@ -35,6 +35,8 @@ describe('markdownToHtml', () => {
   it('converts links', () => {
     const result = markdownToHtml('[link](https://example.com)');
     expect(result).toContain('<a href="https://example.com"');
+    expect(result).not.toContain('target=');
+    expect(result).not.toContain('rel=');
   });
 
   it('converts spoiler syntax', () => {

src/app/plugins/markdown/markdownToHtml.ts

@@ -154,12 +154,8 @@ export function markdownToHtml(markdown: string, options?: MarkdownToHtmlOptions
 
   const allowlistedHtml = escapeNonAllowlistedHtmlTags(unescapedInline);
 
-  // Force all links to open in a new tab, validate <ol start>.
+  // Validate <ol start> after sanitization.
   DOMPurify.addHook('afterSanitizeAttributes', (node) => {
-    if (node.tagName === 'A' && node.getAttribute('href')) {
-      node.setAttribute('target', '_blank');
-      node.setAttribute('rel', 'noreferrer noopener');
-    }
     if (node.tagName === 'OL') {
       const start = node.getAttribute('start');
       if (start !== null && !ORDERED_LIST_START_REGEX.test(start)) {
@@ -177,8 +173,6 @@ export function markdownToHtml(markdown: string, options?: MarkdownToHtmlOptions
       'title',
       'height',
       'width',
-      'target',
-      'rel',
       'data-mx-emoticon',
       'data-mx-spoiler',
       'data-mx-maths',
@@ -194,9 +188,8 @@ export function markdownToHtml(markdown: string, options?: MarkdownToHtmlOptions
     // Ensure these safe attrs survive sanitization even when the input HTML
     // originates from markdown-embedded tags (e.g. custom emoji <img>).
     // `start` must be URI-safe or DOMPurify drops it when ALLOWED_URI_REGEXP is set.
-    ADD_ATTR: ['target', 'rel', 'height', 'width'],
+    ADD_ATTR: ['height', 'width'],
     ADD_URI_SAFE_ATTR: ['start'],
-    // Force all links to have safe rel attribute
     FORCE_BODY: false,
     ALLOWED_URI_REGEXP: /^(?:https?|ftp|mailto|magnet|mxc):/i,
   });

src/app/utils/sanitize.test.ts

@@ -53,8 +53,8 @@ describe('sanitizeCustomHtml', () => {
     expect(result).toContain('data-mx-maths="x"');
     expect(result).toContain('data-md="**"');
     expect(result).toContain('href="https://example.com"');
-    expect(result).toContain('target="_blank"');
     expect(result).toContain('data-md="[]()"');
+    expect(result).not.toContain('target=');
     expect(result).not.toContain('rel=');
     expect(result).toContain('<ol start="2" data-md="1.">');
     expect(result).not.toContain('type=');

src/app/utils/sanitize.ts

@@ -46,7 +46,7 @@ const permittedHtmlTags = [
 
 const permittedTagToAttributes = {
   span: ['data-mx-bg-color', 'data-mx-color', 'data-mx-spoiler', 'data-mx-maths', 'data-md'],
-  a: ['target', 'href', 'data-md'],
+  a: ['href', 'data-md'],
   img: ['width', 'height', 'alt', 'title', 'src', 'data-mx-emoticon'], // data-mx-emoticon is for MSC2545
   ol: ['start', 'data-md'],
   ul: ['data-md'],