From aa4ff472088e5d347efd061380766bb70c6c4b8a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matt=20Marjanovi=C4=87?= <maddog@mir.com>
Date: Fri, 6 Jan 2023 05:18:35 -0800
Subject: [PATCH] FEATURE: Allow `target` attribute in links in user_field
 descriptions (#19102)

This change adds `target` to the set of attributes allowed by the
HTML sanitizer which is applied to the description of a user_field.

The rationale for this change:

 * If one puts a link (<a>...</a>) in the description of a user_field
   that is present and/or required at sign-up, the expectation is that
   a prospective new user will click on that link during sign-up.
 * Without an appropriate `target` attribute on the link, the new page
   will be loaded in the same window/tab as the sign-up form, but this
   will obliterate any fields that the user had already filled-out on
   the form.  (E.g., hitting the back-button will return to an
   empty form.)
 * Such UX behavior is incredibly aggravating to new users.

This change allows an admin to add a `target` attribute to links, to
instruct the browser to open them in a different window/tab, leaving
a sign-up form intact.
---
 app/models/user_field.rb       | 2 +-
 spec/models/user_field_spec.rb | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/models/user_field.rb b/app/models/user_field.rb
index ea8330cc69b..a872af740f5 100644
--- a/app/models/user_field.rb
+++ b/app/models/user_field.rb
@@ -28,7 +28,7 @@ class UserField < ActiveRecord::Base
 
   def sanitize_description
     if description_changed?
-      self.description = sanitize_field(self.description)
+      self.description = sanitize_field(self.description, additional_attributes: ['target'])
     end
   end
 end
diff --git a/spec/models/user_field_spec.rb b/spec/models/user_field_spec.rb
index e93c956bed1..ad81162d792 100644
--- a/spec/models/user_field_spec.rb
+++ b/spec/models/user_field_spec.rb
@@ -19,4 +19,13 @@ RSpec.describe UserField do
 
     expect(user_field.description).to eq("<b>click me!</b>alert('TEST');")
   end
+
+  it 'allows target attribute in the description' do
+    link = "<a target=\"_blank\" href=\"/elsewhere\">elsewhere</a>"
+    user_field = Fabricate(:user_field)
+
+    user_field.update!(description: link)
+
+    expect(user_field.description).to eq(link)
+  end
 end