This change replaces the navigable target name (which is usually set by target attribute) to `_blank`, if it contains a dangling markup (i.e. `\n` and `<`). Which fixes a bypass in the dangling markup injection mitigation.
Blink has shipped a mitigation for dangling markup injection attack[1] while back. However, it was discovered that the mitigation can be bypassed through target name[2]. Navigations with such target names are low (~0.000007%)[3]. Therefore, this change removes the limitation discovered in the previous mitigation. [1] https://chromestatus.com/feature/5735596811091968 [2] https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup [3] https://chromestatus.com/metrics/feature/timeline/popularity/4493