[6.x] Avoid sanitizing target attribute in markdown() helper (#14221)

duncanmcclean · web-flow · commit 5dd6314b9284 · 2026-03-11T12:04:56.000-04:00
diff --git a/resources/js/util/markdown.js b/resources/js/util/markdown.js
@@ -15,6 +15,7 @@ export default function (markdown, options = {}) {
     }
 
     return DOMPurify.sanitize(
-        marked.parse(markdown, { renderer })
+        marked.parse(markdown, { renderer }),
+        { ADD_ATTR: ['target'] }
     );
 }

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ export default function (markdown, options = {}) {`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`return DOMPurify.sanitize(`
`18`		`- marked.parse(markdown, { renderer })`
	`18`	`+ marked.parse(markdown, { renderer }),`
	`19`	`+ { ADD_ATTR: ['target'] }`
`19`	`20`	`);`
`20`	`21`	`}`