Hi,
in OJS 3.1.2, links with target="_blank" in e.g. the footer are opening in a new window, but are opening in the current window in the announcements. allowed_html in config.inc.php includes a[href|target|title]
In OJS 3.3.0, HTML cannot be edited in the announcements, but when inserting a link, there is the option “new window” for the target. If I select this option, the link is still not opening in a new window.
Regards,
Carola
Hi Carola,
Thanks for catching this - I think this is a bug. I tested this out with 3.3.0-8 and it does appear to be the case that it doesn’t open in a new window. I’ll run it by our developers to be sure, and then we’ll file a bug report for it.
-Roger
PKP Team
HI @carola,
Actually, it turns out I was wrong - it’s not a bug, but rather an issue with TinyMCE. I spoke with one of our team members who had this to say:
It’s actually not a bug, it’s default behaviour in TinyMCE now, because target=“_blank” is considered bad practice. To make this work you’ll need to edit your TinyMCE configuration and and add an extended_valid_elements parameter for the target attribute on anchor tags. bet that if you look at the HTML generated in your announcement, you can use other target attributes like _top just fine, but not _blank
-Roger
PKP Team
Hi everyone,
That was me that passed that on to Roger above, and Alec had the solution for this a few years ago.
Best
Jason
The reason this is disabled is because it can be a security and privacy risk when the URL that is opened is on a different site. If you trust the site you are linking to the risk is small. You can read more here: How to fix target=”_blank” links: a security and performance issue in web pages | by Ali Kamalizade | Sedeo | Medium
Thanks to everyone!
The solution in HTML purifier filters "target" atribute works for me.
I understand that it is an security issue, but the OJS behaviour is inconsistent. The new window links work in e.g. the footer, but not in the announcements (in OJS 3.1.2, OJS 3.3.0). In both cases, the TinyMCE is used.
Regards,
Carola
In that case, it is probably related to whether or not the theme’s template escapes the value. In the footer.tpl, we do not escape the input because we trust the user and because the footer is often used to embed more JS components (eg - a Twitter feed). In the announcement_full.tpl it looks like we escape (strip_unsafe_html) the value.
As far as I can tell from a quick look at the code, the allowed_html config setting should let you define HTML tags/attributes that bypass this escaping if you wanted to allow target attributes in links. I haven’t tested though.