From 6babf1681e6e801671480689da2e1fe51fd4567d Mon Sep 17 00:00:00 2001
From: antoine <guingand.antoine@gmail.com>
Date: Fri, 12 Dec 2025 14:18:57 +0100
Subject: [PATCH] allow `a` target + ensure noopener

---
 resources/js/utils/sanitize.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/resources/js/utils/sanitize.ts b/resources/js/utils/sanitize.ts
index 2dc160d3f..18a6b2ddf 100644
--- a/resources/js/utils/sanitize.ts
+++ b/resources/js/utils/sanitize.ts
@@ -1,9 +1,16 @@
 import DOMPurify from 'dompurify';
 
+DOMPurify.addHook('afterSanitizeAttributes', function (node) {
+    if (node.tagName === 'A' && !node.getAttribute('rel')?.includes('noopener')) {
+        node.setAttribute('rel', `${node.getAttribute('rel') ?? ''} noopener`.trim());
+    }
+});
+
 export function sanitize(html: string | null) {
     return html
         ? DOMPurify.sanitize(html, {
             ADD_TAGS: ['iframe'],
+            ADD_ATTR: ['target'],
             CUSTOM_ELEMENT_HANDLING: {
                 tagNameCheck: () => true,
                 attributeNameCheck: (name) => {