Missing noreferrer noopener on external links
In sao, the widget URL, which may contain external URLs, does not set noreferrer noopener like it is advised on MDN[1].
A crafted URL opened from this widget may take control of the page where sao is running and steal information like session.
So I think we should always set the recommended attribute for all href pointing to external resources.
[1] https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#attr-target