While reviewing the source code, I found that the href target="_blank" attribute is used 102 times.

Unsure www.limesurvey.org is an untrusted target?

I didn't set as private since it's included in core and not a way to add such link by simple user of limesurvey instance.

Correct, I should have used a different example URL.

Understood, so an attacker's URL would need to be approved and merged.

Understood, so an attacker's URL would need to be approved and merged.

I think XSS settings are not OK currently ?
A simple admin user can add a link without rel=noopener

It can be set in htmlsantizer

My opinion about such attacks (XSS and related)

• Super admin: don't care. They already have all permissions on the all admin user
• User allowed to update theme: they can do anything in JS : don't care
• User allowed to upload plugins: don't care
• Simple admin user with XSS enabled: there is an issue
• External user : big big issue !

We should probably restrict target for simple admin.
I tested on my local with simple admin, XSS enabled and created a link to google in question text.

Screenshot 2026-01-05 at 15.12.32.png (87,232 bytes)   

Screenshot 2026-01-05 at 15.12.32.png (87,232 bytes)   

OK

I tested on my local with simple admin, XSS enabled and created a link to google in question text.

No !!!

Add rel="noreferrer noopener" is the way to do.

PS :

then they could read or modify certain properties of the window.opener object, including the location property

I think it's false with major browsers now, see https://developer.mozilla.org/en-US/docs/Web/API/Window/opener

Windows opened because of links with a target of _blank don't get an opener, unless explicitly requested with rel=opener.

then: really low issue

https://github.com/LimeSurvey/LimeSurvey/pull/4652

@tibor.pacalat : there are no issue currently : already added by default by htmlpurifier (default is true) we just unsure it stay true;