From 00c7bf69d92adb0a503a8168930ef2ebbf1f9d71 Mon Sep 17 00:00:00 2001 From: 4oo4 <4oo4@users.noreply.github.com> Date: Fri, 3 Jul 2026 17:41:40 +0000 Subject: [PATCH] Task notes - fix opening URLs in new window Add the target="_blank" back to the that is stripped out by DOMPurify. Set rel="nofollow noopener noreferrer" to harden against reverse tabnabbing Signed-off-by: 4oo4 <4oo4@users.noreply.github.com> Assisted-by: Claude:claude-opus-4-8 --- src/components/AppSidebar/NotesItem.vue | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/components/AppSidebar/NotesItem.vue b/src/components/AppSidebar/NotesItem.vue index 97aebf77a..6dced9b94 100644 --- a/src/components/AppSidebar/NotesItem.vue +++ b/src/components/AppSidebar/NotesItem.vue @@ -82,7 +82,7 @@ export default { .use(Mila, { attrs: { target: '_blank', - rel: 'nofollow', + rel: 'nofollow noopener noreferrer', }, }) .use(Mitl) @@ -104,7 +104,7 @@ export default { this.$refs.note__viewer.textContent = val.slice(0, MAX_NOTE_RENDER_SIZE) return } - this.$refs.note__viewer.innerHTML = DOMPurify.sanitize(this.md.render(val)) + this.$refs.note__viewer.innerHTML = DOMPurify.sanitize(this.md.render(val), { ADD_ATTR: ['target'] }) }) }, },