cms icon indicating copy to clipboard operation
cms copied to clipboard
verified publisher icon craftcms

[4.x]: Bug: Craft w. Redactor is adding |target="_blank" rel="noreferrer noopener"| to links unwantedly

Open hiasl opened this issue 8 months ago • 0 comments

What happened?

Description

We discovered that Craft 4 with Redactor fields (RF) is adding target="_blank" rel="noreferrer noopener" unwantedly and reproducable to links (<a> tags) in 3 cases. Especially the target="_blank" is problematic, because it causes unwanted behavior.

In all cases we have the same "caption" field (=RF), we add text to the RF, select parts or all of the text and then add a link. We never tick the "open link in new tab" checkbox. The caption field is used in 4 variants for testing purposes: a.) as party of the entrytype, b.) as a field on the asset/image, c.) as a matrix block and d.) as a neo block.

3 Cases where the bug happens:

  1. when the link is added in a slideout, e.g. the RF is on an image and it is modified from within an entry by doubleclicking a reference to the asset. After saving (closing the slideout) and reopening the slideout by doubleclicking, the link now contains the unwanted code.
  2. when Craft is automatically saving the RFs content in the background while editing other fields
  3. when adding a link in the RF and completing the process by hitting ENTER instead of clicking the "save" button in the link modal of the RF

My assumptions:

  • Case 1 and 2 are maybe happening due to some purifying in the process of AJAX saving
  • Case 3 might be in the Redactor plugin, but could maybe also be caused by the AJAX saving

Steps to reproduce

To make it easier to reproduce, I prepared a DDEV package for download, which has everything ready to be tested. Download: https://drive.google.com/file/d/1_TkBVZ8yrjHsTgdL5MuhOz9C1j9774cH/view?usp=drive_link It extracts with a folder "craft4/" and Craft inside. There is 1 SQL dump in /storage/backups/ which needs to be restored, afterwards it should work. Login is admin / 123456

Case 1:

  1. Open the only entry in my test DDEV project in edit mode.
  2. Doubleclick the asset reference, the slideout will appear
  3. Add text to the caption RF, select the text, add a link to it with the link function of RF
  4. Check the HTML of the caption field - the unwanted code is not there
  5. Save the slideout - it closes
  6. Reopen the slideout by doubleclicking the asset reference again
  7. Check the HTML, now the unwanted code is there Interestingly the code IS NOT added, if the assets is edited and saved directly from within the Assets section of the CP. It only happens in the slideout.

Case 2:

  1. Open the only entry in my test DDEV project in edit mode.
  2. Add text with link to the first caption field. Do close the modal by clicking the "save" button, DO NOT HIT ENTER
  3. Show HTML of the RF and see the link code without the _blank/noreferrer/noopener.
  4. Keep the HTML view of the first RF open
  5. Now click into the RF within the matrix field and start typing there.
  6. Watch the HTML of the first RF change as it receives the unwanted code

Case 3:

  1. Open the only entry in my test DDEV project in edit mode.
  2. Insert text into the first RF, make it a link and DO CLOSE the link modal by hitting enter
  3. Show HTML of the RF and already see the unwanted code there

Expected behavior

The code / the attributes target="_blank" rel="noreferrer noopener" should only be added if the checkbox "open link in new window" is actually checked.

Actual behavior

The code / the attributes target="_blank" rel="noreferrer noopener" gets added unwantedly and reproducably

Craft CMS version

4.15.6.1 (also tested with newest version)

PHP version

8.3

Operating system and version

DDEV

Database type and version

MySQL 8

Image driver and version

No response

Installed plugins and versions

  • Redactor
  • Neo

hiasl avatar Jun 06 '25 06:06 hiasl