Why does Shopify alter my custom HTML and CSS for new window links?

Technical Q&A
, ,

Topic summary

Shopify automatically adds a data-sanitized- prefix to certain HTML attributes like target="_blank" and rel="noopener noreferrer" when users save custom HTML/CSS code, breaking the intended functionality of opening links in new windows.

Affected attributes include:

  • target="_blank"
  • data-toggle and data-target (for modals)
  • aria-labelledby and aria-hidden

Root causes identified:

  • Shopify intentionally sanitizes these attributes for security reasons to prevent phishing attacks (confirmed by support)
  • Sometimes caused by missing quotation marks in earlier code sections

Workarounds:

  • Add rel="noopener" after target="_blank" to prevent sanitization
  • Use JavaScript to restore the target="_blank" attribute after page load by selecting all a[data-sanitized-target="_blank"] elements and re-applying the attribute
  • Check for syntax errors like missing quotes

Status: Shopify support confirmed this is intended behavior and will not be changed. The issue remains unresolved at the platform level, requiring developers to implement workarounds.

Summarized with AI on October 28. AI used: claude-sonnet-4-5-20250929.
1

I am using the Dawn theme up to date and have written custom HTML and CSS on one of my pages.

I simply wanted my buttons to open in a new window so I added the attribute “target=_blank”. After saving, shopify automatically added this

data-sanitized-

to my target attribute (see below) rendering it useless and my links still opening in the same tab. It also removed the rel=“noopener noreferrer” attribute I had added after target=“_blank” for good measure.

Google Maps Link

Why is this happening and how do I get shopify to stop?

1 Like
2

Same thing is happening to me. Must be a glitch with shopify. It’s actually adding “data-sanitized-” to a lot of things. This is causing some things to break (example: target=“_blank”) and others still work as they should.

Upon save this is a snip of our code:

Read Bio
3

Same thing here. All my codes are infected with “data-sanitized-” which is affecting the behaviour of my attributes (especially the target attribute)! No matter how much I clear the code, this reappears every time I save my page. Hoping that Shopify fixes this soon…

4

Same issue here

5

I’m not sure if you were able to solve it on your own, but I found that adding rel=“noopener” after target=“_blank” worked for the links on the page I was trying to keep from being data-sanitized.

1 Like
6

I had this issue and it turned out to be a missing quotation mark in an earlier part of my script.

7

I just asked the Shopify support. It’s intended and they don’t want to change the behavior:

Thank you for your patience! I have reviewed this with the team and as it turns out, Shopify does sanitize certain HTML attributes, including “target=”_blank", for security reasons to minimize potential risks such as phishing attacks. Unfortunately, there is no direct solution for this within the Shopify platform. If you need a link to open in a new tab, you could suggest users to right-click the link and select “Open link in new tab” as an alternative.

8

You can easily solve that by adding this snippet of javascript-code into your theme (or liquid file “main-article.liquid”)

<script>
document.addEventListener('DOMContentLoaded', function (event) {
let aElements = document.querySelectorAll('a[data-sanitized-target="_blank"]');
aElements.forEach((eElem) => {
eElem.setAttribute('target', '_blank');
});
});

</script>

What this script does?

After the page has loaded if finds all the links that have the attribute target=“_blank” (which was changed by Shopify internally).

In the loop, it sets a new attribute target=“_blank”.

Let me know if you need help by that.

1 Like
9

Hi Tobi

The code helped stop target=“_self” changing to target=“_blank” automatically on page loading. I changed…

data-sanitized-target="_blank" to target="_blank"

and 'target', '_blank' to 'target', '_self'

…thanks for your help with the code.