in OJS 3.1.2, links with target="_blank" in e.g. the footer are opening in a new window, but are opening in the current window in the announcements. allowed_html in config.inc.php includes a[href|target|title]
In OJS 3.3.0, HTML cannot be edited in the announcements, but when inserting a link, there is the option “new window” for the target. If I select this option, the link is still not opening in a new window.
Thanks for catching this - I think this is a bug. I tested this out with 3.3.0-8 and it does appear to be the case that it doesn’t open in a new window. I’ll run it by our developers to be sure, and then we’ll file a bug report for it.
Actually, it turns out I was wrong - it’s not a bug, but rather an issue with TinyMCE. I spoke with one of our team members who had this to say:
It’s actually not a bug, it’s default behaviour in TinyMCE now, because target=“_blank” is considered bad practice. To make this work you’ll need to edit your TinyMCE configuration and and add an extended_valid_elements parameter for the target attribute on anchor tags. bet that if you look at the HTML generated in your announcement, you can use other target attributes like _top just fine, but not _blank
I understand that it is an security issue, but the OJS behaviour is inconsistent. The new window links work in e.g. the footer, but not in the announcements (in OJS 3.1.2, OJS 3.3.0). In both cases, the TinyMCE is used.
In that case, it is probably related to whether or not the theme’s template escapes the value. In the footer.tpl, we do not escape the input because we trust the user and because the footer is often used to embed more JS components (eg - a Twitter feed). In the announcement_full.tpl it looks like we escape (strip_unsafe_html) the value.
As far as I can tell from a quick look at the code, the allowed_html config setting should let you define HTML tags/attributes that bypass this escaping if you wanted to allow target attributes in links. I haven’t tested though.