Allow target Attribute in Markdown Links for Opening Links in a New Tab

[Nuno23C]

Issue

When creating a dashboard and using Markdown to create a hyperlink (<a>), the target attribute is stripped, even if explicitly included in the raw Markdown input. This prevents the ability to use target="_blank" to open links in a new tab, which is a common use case in dashboards.

Upon reviewing the source code, the issue seems to originate from the following function. The target attribute for <a> tags is not currently included in the safe_markdown_attrs, causing it to be stripped during the sanitization process.

Proposed Solution

Add the target attribute to the allowed attributes for <a> tags in the safe_markdown_attrs:

    safe_markdown_attrs = {
        "img": {"src", "alt", "title"},
        "a": {"href", "alt", "title", "target"},
    }

Additionally, consider enforcing the use of rel="noopener noreferrer" for security purposes when target="_blank" is used.

[Doctor-Who]

Any news of that ? Will it be available in v5.0 ?

[sfirke]

Just so people know, you have long been able to enable this in your Superset config. It goes in HTML_SANITIZATION_SCHEMA_EXTENSIONS, under attributes. I use this in production. And rel="noopener noreferrer" is enforced universally across the application, at least in the latest version of Superset. That said, I am adding "target" to the baked-in list so that this will work out of the box in a future version of Superset: #39868