WebUI: allow target="_blank" by default in parseHtmlSubset().

ui/webui/resources/js/parse_html_subset.js

Index: ui/webui/resources/js/parse_html_subset.js
diff --git a/ui/webui/resources/js/parse_html_subset.js b/ui/webui/resources/js/parse_html_subset.js
index 3817b49ceb915f0837bcc8c9aede7a1492a7faec..ff0df052be215c3c56b12e131cb3d9a80a6daacf 100644
--- a/ui/webui/resources/js/parse_html_subset.js
+++ b/ui/webui/resources/js/parse_html_subset.js
@@ -22,12 +22,10 @@ var parseHtmlSubset = (function() {
           value.indexOf('https://') == 0);
     },
     'target': function(node, value) {
-      // Allow a[target] but reset the value to "".
-      if (node.tagName != 'A')
-        return false;
-      node.setAttribute('target', '');
-      return true;
-    }
+      // Only allow a[target='_blank'].
+      // TODO(dbeam): are there valid use cases for target != '_blank'?
+      return node.tagName == 'A' && value == '_blank';
+    },
   };
 
   /**