diff --git a/parser_rules/advanced.js b/parser_rules/advanced.js index bcbea6bc..ef12a5a7 100644 --- a/parser_rules/advanced.js +++ b/parser_rules/advanced.js @@ -99,7 +99,8 @@ var wysihtml5ParserRules = { * - src: allows something like "/foobar.jpg", "http://google.com", ... * - href: allows something like "mailto:bert@foo.com", "http://google.com", "/foobar.jpg" * - alt: strips unwanted characters. if the attribute is not set, then it gets set (to ensure valid and compatible HTML) - * - numbers: ensures that the attribute only contains numeric characters + * - numbers: ensures that the attribute only contains numeric characters + * - preserve: keep the current value in the property. */ "tags": { "tr": { @@ -180,11 +181,11 @@ var wysihtml5ParserRules = { }, "a": { "check_attributes": { + "target": "preserve", // If a user specifies a target, we should keep it that way. "href": "url" // if you compiled master manually then change this from 'url' to 'href' }, "set_attributes": { "rel": "nofollow", - "target": "_blank" } }, "img": { diff --git a/parser_rules/simple.js b/parser_rules/simple.js index 63a2e8b4..68be60ab 100644 --- a/parser_rules/simple.js +++ b/parser_rules/simple.js @@ -21,10 +21,10 @@ var wysihtml5ParserRules = { li: {}, a: { set_attributes: { - target: "_blank", rel: "nofollow" }, check_attributes: { + target: "preserve", // If a user specifies a target, we should keep it that way. href: "url" // important to avoid XSS } } diff --git a/src/dom/parse.js b/src/dom/parse.js index f7868f94..48edf064 100644 --- a/src/dom/parse.js +++ b/src/dom/parse.js @@ -423,6 +423,12 @@ wysihtml5.dom.parse = (function() { attributeValue = (attributeValue || "").replace(REG_EXP, ""); return attributeValue || null; }; + })(), + + preserve: (function() { + return function(attributeValue) { + return attributeValue; + }; })() };