diff --git a/packages/app-cli/tests/md_to_html/sanitize_22.html b/packages/app-cli/tests/md_to_html/sanitize_22.html
index d48d126a75..70905d2f19 100644
--- a/packages/app-cli/tests/md_to_html/sanitize_22.html
+++ b/packages/app-cli/tests/md_to_html/sanitize_22.html
@@ -1,2 +1,3 @@
-
-
\ No newline at end of file
+
+
+
diff --git a/packages/app-cli/tests/md_to_html/sanitize_22.md b/packages/app-cli/tests/md_to_html/sanitize_22.md
index 2434f9a343..1bfe28fc97 100644
--- a/packages/app-cli/tests/md_to_html/sanitize_22.md
+++ b/packages/app-cli/tests/md_to_html/sanitize_22.md
@@ -1,3 +1,5 @@
-
\ No newline at end of file
+
+
+
diff --git a/packages/renderer/htmlUtils.ts b/packages/renderer/htmlUtils.ts
index 0ff2f4a3d4..b7eee02316 100644
--- a/packages/renderer/htmlUtils.ts
+++ b/packages/renderer/htmlUtils.ts
@@ -285,6 +285,20 @@ class HtmlUtils {
attrs = { ...attrs };
+ // Allowing the 'name' attribute allows an attacker to overwrite
+ // DOM methods (e.g. getElementById) with elements.
+ if ('name' in attrs) {
+ const oldName = attrs['name'];
+ delete attrs['name'];
+
+ // For compatibility reasons, support rewriting name= as id=.
+ // This allows internal links specified with name="target" to continue
+ // to work.
+ if (!('id' in attrs)) {
+ attrs['id'] = oldName;
+ }
+ }
+
// Remove all the attributes that start with "on", which
// normally should be JavaScript events. A better solution
// would be to blacklist known events only but it seems the
@@ -308,12 +322,6 @@ class HtmlUtils {
attrs['href'] = '#';
}
- // Allowing the 'name' attribute allows an attacker to overwrite
- // DOM methods (e.g. getElementById) with elements.
- if ('name' in attrs) {
- delete attrs['name'];
- }
-
// We need to clear any such attribute, otherwise it will
// make any arbitrary link open within the application.
if ('data-from-md' in attrs) {