Settings: Add unsaved changes warning and fix link accessibility.

Implement a JS-based beforeunload warning that alerts users when they attempt to navigate away from settings pages with unsaved changes. The warning:
- Only triggers when actual form changes exist (via serialize comparison)
- Handles all navigation scenarios (internal links, back/forward, tab close)
- Does NOT fire for new-tab links (which don't unload the current page)
- Suppresses warning on intentional form submission (Save Changes)
- Preserves browser bfcache by lazy-attaching beforeunload only after first user change

Additionally, fix inconsistent link accessibility across settings pages:
- Remove target="_blank" from internal admin links (e.g., moderation queue in Discussion Settings)
  to restore user control and rely on the new unsaved-changes warning for protection
- Add target="_blank" + accessibility indicators to external documentation/preview links
  following WordPress canonical pattern (visual icon + screen-reader text)
- Add rel="noopener noreferrer" for security on all new-tab links
- Ensure consistent behavior across General, Discussion, Reading, Writing, Permalink, and Privacy pages

Files modified:
- src/js/_enqueues/admin/settings.js: New module with beforeunload handler and lazy attachment
- src/wp-admin/options-head.php: Enqueue settings.js on all settings pages
- src/wp-includes/script-loader.php: Register settings script handle
- src/wp-admin/options-*.php: Update 9 link instances across 6 settings pages
- Gruntfile.js: Add build entries for new settings.js module
- tests/qunit/: Add QUnit tests for beforeunload behavior

Props: Accessibility review team, WordPress core team
Fixes: #64623 (Prevent losing data when clicking links on Settings pages)

Author: vidushigupta0607

Gruntfile.js

@@ -450,6 +450,7 @@ module.exports = function(grunt) {
 					[ WORKING_DIR + 'wp-admin/js/site-health.js' ]: [ './src/js/_enqueues/admin/site-health.js' ],
 					[ WORKING_DIR + 'wp-admin/js/site-icon.js' ]: [ './src/js/_enqueues/admin/site-icon.js' ],
 					[ WORKING_DIR + 'wp-admin/js/privacy-tools.js' ]: [ './src/js/_enqueues/admin/privacy-tools.js' ],
+					[ WORKING_DIR + 'wp-admin/js/settings.js' ]: [ './src/js/_enqueues/admin/settings.js' ],
 					[ WORKING_DIR + 'wp-admin/js/theme-plugin-editor.js' ]: [ './src/js/_enqueues/wp/theme-plugin-editor.js' ],
 					[ WORKING_DIR + 'wp-admin/js/theme.js' ]: [ './src/js/_enqueues/wp/theme.js' ],
 					[ WORKING_DIR + 'wp-admin/js/updates.js' ]: [ './src/js/_enqueues/wp/updates.js' ],
@@ -1193,6 +1194,7 @@ module.exports = function(grunt) {
 					'src/wp-admin/js/theme.js': 'src/js/_enqueues/wp/theme.js',
 					'src/wp-admin/js/updates.js': 'src/js/_enqueues/wp/updates.js',
 					'src/wp-admin/js/user-profile.js': 'src/js/_enqueues/admin/user-profile.js',
+					'src/wp-admin/js/settings.js': 'src/js/_enqueues/admin/settings.js',
 					'src/wp-admin/js/user-suggest.js': 'src/js/_enqueues/lib/user-suggest.js',
 					'src/wp-admin/js/widgets/custom-html-widgets.js': 'src/js/_enqueues/wp/widgets/custom-html.js',
 					'src/wp-admin/js/widgets/media-audio-widget.js': 'src/js/_enqueues/wp/widgets/media-audio.js',

src/js/_enqueues/admin/settings.js

@@ -0,0 +1,50 @@
+/**
+ * Warns users about unsaved changes on settings pages.
+ *
+ * @output wp-admin/js/settings.js
+ * @since 6.9.0
+ */
+
+/* global wp */
+( function( $ ) {
+	var __ = wp.i18n.__;
+
+	// Target only the main settings form, not search or other forms.
+	var $form = $( 'form[action="options.php"]' );
+	var originalData;
+	var isSubmitting = false;
+
+	/**
+	 * Attaches the beforeunload listener. Called once on the first user
+	 * change so that bfcache is not blocked on pages with no edits.
+	 */
+	function startWatchingForUnload() {
+		// Remove this as a one-shot listener.
+		$form.off( 'change.settings input.settings', startWatchingForUnload );
+
+		$( window ).on( 'beforeunload.settings', function() {
+			if ( ! isSubmitting && originalData !== $form.serialize() ) {
+				return __( 'The changes you made will be lost if you navigate away from this page.' );
+			}
+		} );
+	}
+
+	$( function() {
+		if ( ! $form.length ) {
+			return;
+		}
+
+		// Snapshot the original form state.
+		originalData = $form.serialize();
+
+		// Suppress the warning when the form is intentionally submitted (settings saved).
+		$form.on( 'submit.settings', function() {
+			isSubmitting = true;
+			$( window ).off( 'beforeunload.settings' );
+		} );
+
+		// Attach the beforeunload listener lazily on the first user interaction
+		// to preserve bfcache for pages where no changes are made.
+		$form.on( 'change.settings input.settings', startWatchingForUnload );
+	} );
+} )( jQuery );

src/wp-admin/options-discussion.php

@@ -192,7 +192,7 @@
 ?>
 </label></p>
 
-<p><label for="moderation_keys"><?php _e( 'When a comment contains any of these words in its content, author name, URL, email, IP address, or browser&#8217;s user agent string, it will be held in the <a href="edit-comments.php?comment_status=moderated" target="_blank">moderation queue</a>. One word or IP address per line. It will match inside words, so &#8220;press&#8221; will match &#8220;WordPress&#8221;.' ); ?></label></p>
+<p><label for="moderation_keys"><?php _e( 'When a comment contains any of these words in its content, author name, URL, email, IP address, or browser&#8217;s user agent string, it will be held in the <a href="edit-comments.php?comment_status=moderated">moderation queue</a>. One word or IP address per line. It will match inside words, so &#8220;press&#8221; will match &#8220;WordPress&#8221;.' ); ?></label></p>
 <p>
 <textarea name="moderation_keys" rows="10" cols="50" id="moderation_keys" class="large-text code"><?php echo esc_textarea( get_option( 'moderation_keys' ) ); ?></textarea>
 </p>

src/wp-admin/options-general.php

@@ -249,9 +249,10 @@ class="<?php echo esc_attr( $classes_for_button ); ?>"
 <p class="description" id="home-description">
 		<?php
 		printf(
-			/* translators: %s: Documentation URL. */
-			__( 'Enter the same address here unless you <a href="%s" target=_blank>want your site home page to be different from your WordPress installation directory</a>.' ),
-			__( 'https://developer.wordpress.org/advanced-administration/server/wordpress-in-directory/' )
+			/* translators: 1: Documentation URL. 2: Accessibility text (do not translate). */
+			__( 'Enter the same address here unless you <a href="%1$s" target="_blank" rel="noopener noreferrer">want your site home page to be different from your WordPress installation directory%2$s</a>.' ),
+			esc_url( __( 'https://developer.wordpress.org/advanced-administration/server/wordpress-in-directory/' ) ),
+			'<span class="screen-reader-text"> ' . /* translators: Hidden accessibility text. */ __( '(opens in a new tab)' ) . '</span><span aria-hidden="true" class="dashicons dashicons-external"></span>'
 		);
 		?>
 </p>
@@ -568,7 +569,13 @@ class="<?php echo esc_attr( $classes_for_button ); ?>"
 		'<p><strong>' . __( 'Preview:' ) . '</strong> <span class="example">' . date_i18n( get_option( 'time_format' ) ) . '</span>' .
 		"<span class='spinner'></span>\n" . '</p>';
 
-	echo "\t<p class='date-time-doc'>" . __( '<a href="https://wordpress.org/documentation/article/customize-date-and-time-format/" target="_blank">Documentation on date and time formatting</a>.' ) . "</p>\n";
+	printf(
+		"\t<p class='date-time-doc'><a href=\"%1\$s\" target=\"_blank\" rel=\"noopener noreferrer\">%2\$s<span class=\"screen-reader-text\"> %3\$s</span><span aria-hidden=\"true\" class=\"dashicons dashicons-external\"></span></a>.</p>\n",
+		'https://wordpress.org/documentation/article/customize-date-and-time-format/',
+		__( 'Documentation on date and time formatting' ),
+		/* translators: Hidden accessibility text. */
+		__( '(opens in a new tab)' )
+	);
 ?>
 	</fieldset>
 </td>

src/wp-admin/options-head.php

@@ -21,3 +21,5 @@
 }
 
 settings_errors();
+
+wp_enqueue_script( 'settings' );

src/wp-admin/options-permalink.php

@@ -222,9 +222,10 @@
 <p>
 <?php
 printf(
-	/* translators: %s: Documentation URL. */
-	__( 'WordPress offers you the ability to create a custom URL structure for your permalinks and archives. Custom URL structures can improve the aesthetics, usability, and forward-compatibility of your links. A <a href="%s" target="_blank">number of tags are available</a>, and here are some examples to get you started.' ),
-	__( 'https://wordpress.org/documentation/article/customize-permalinks/' )
+	/* translators: 1: Documentation URL. 2: Accessibility text (do not translate). */
+	__( 'WordPress offers you the ability to create a custom URL structure for your permalinks and archives. Custom URL structures can improve the aesthetics, usability, and forward-compatibility of your links. A <a href="%1$s" target="_blank" rel="noopener noreferrer">number of tags are available%2$s</a>, and here are some examples to get you started.' ),
+	esc_url( __( 'https://wordpress.org/documentation/article/customize-permalinks/' ) ),
+	'<span class="screen-reader-text"> ' . /* translators: Hidden accessibility text. */ __( '(opens in a new tab)' ) . '</span><span aria-hidden="true" class="dashicons dashicons-external"></span>'
 );
 ?>
 </p>

src/wp-admin/options-privacy.php

@@ -215,19 +215,23 @@ static function ( $body_class ) {
 			?>
 				<strong>
 				<?php
+				$new_tab_indicator = '<span class="screen-reader-text"> ' . /* translators: Hidden accessibility text. */ __( '(opens in a new tab)' ) . '</span><span aria-hidden="true" class="dashicons dashicons-external"></span>';
+
 				if ( 'publish' === get_post_status( $privacy_policy_page_id ) ) {
 					printf(
-						/* translators: 1: URL to edit Privacy Policy page, 2: URL to view Privacy Policy page. */
-						__( '<a href="%1$s">Edit</a> or <a href="%2$s">view</a> your Privacy Policy page content.' ),
+						/* translators: 1: URL to edit Privacy Policy page, 2: URL to view Privacy Policy page, 3: Accessibility text (do not translate). */
+						__( '<a href="%1$s">Edit</a> or <a href="%2$s" target="_blank" rel="noopener noreferrer">view%3$s</a> your Privacy Policy page content.' ),
 						esc_url( $edit_href ),
-						esc_url( $view_href )
+						esc_url( $view_href ),
+						$new_tab_indicator
 					);
 				} else {
 					printf(
-						/* translators: 1: URL to edit Privacy Policy page, 2: URL to preview Privacy Policy page. */
-						__( '<a href="%1$s">Edit</a> or <a href="%2$s">preview</a> your Privacy Policy page content.' ),
+						/* translators: 1: URL to edit Privacy Policy page, 2: URL to preview Privacy Policy page, 3: Accessibility text (do not translate). */
+						__( '<a href="%1$s">Edit</a> or <a href="%2$s" target="_blank" rel="noopener noreferrer">preview%3$s</a> your Privacy Policy page content.' ),
 						esc_url( $edit_href ),
-						esc_url( $view_href )
+						esc_url( $view_href ),
+						$new_tab_indicator
 					);
 				}
 				?>

src/wp-admin/options-reading.php

@@ -197,9 +197,10 @@
 	<p class="description">
 		<?php
 		printf(
-			/* translators: %s: Documentation URL. */
-			__( 'Your theme determines how content is displayed in browsers. <a href="%s" target="_blank">Learn more about feeds</a>.' ),
-			__( 'https://developer.wordpress.org/advanced-administration/wordpress/feeds/' )
+			/* translators: 1: Documentation URL. 2: Accessibility text (do not translate). */
+			__( 'Your theme determines how content is displayed in browsers. <a href="%1$s" target="_blank" rel="noopener noreferrer">Learn more about feeds%2$s</a>.' ),
+			esc_url( __( 'https://developer.wordpress.org/advanced-administration/wordpress/feeds/' ) ),
+			'<span class="screen-reader-text"> ' . /* translators: Hidden accessibility text. */ __( '(opens in a new tab)' ) . '</span><span aria-hidden="true" class="dashicons dashicons-external"></span>'
 		);
 		?>
 	</p>

src/wp-admin/options-writing.php

@@ -234,9 +234,10 @@
 	<p><label for="ping_sites">
 		<?php
 		printf(
-			/* translators: %s: Documentation URL. */
-			__( 'When you publish a new post, WordPress automatically notifies the following site update services. For more about this, see the <a href="%s">Update Services</a> documentation article. Separate multiple service URLs with line breaks.' ),
-			__( 'https://developer.wordpress.org/advanced-administration/wordpress/update-services/' )
+			/* translators: 1: Documentation URL. 2: Accessibility text (do not translate). */
+			__( 'When you publish a new post, WordPress automatically notifies the following site update services. For more about this, see the <a href="%1$s" target="_blank" rel="noopener noreferrer">Update Services%2$s</a> documentation article. Separate multiple service URLs with line breaks.' ),
+			esc_url( __( 'https://developer.wordpress.org/advanced-administration/wordpress/update-services/' ) ),
+			'<span class="screen-reader-text"> ' . /* translators: Hidden accessibility text. */ __( '(opens in a new tab)' ) . '</span><span aria-hidden="true" class="dashicons dashicons-external"></span>'
 		);
 		?>
 	</label></p>
@@ -248,9 +249,10 @@
 	<p>
 		<?php
 		printf(
-			/* translators: 1: Documentation URL, 2: URL to Reading Settings screen. */
-			__( 'WordPress is not notifying any <a href="%1$s">Update Services</a> because of your site&#8217;s <a href="%2$s">visibility settings</a>.' ),
-			__( 'https://developer.wordpress.org/advanced-administration/wordpress/update-services/' ),
+			/* translators: 1: Documentation URL. 2: Accessibility text (do not translate). 3: URL to Reading Settings screen. */
+			__( 'WordPress is not notifying any <a href="%1$s" target="_blank" rel="noopener noreferrer">Update Services%2$s</a> because of your site&#8217;s <a href="%3$s">visibility settings</a>.' ),
+			esc_url( __( 'https://developer.wordpress.org/advanced-administration/wordpress/update-services/' ) ),
+			'<span class="screen-reader-text"> ' . /* translators: Hidden accessibility text. */ __( '(opens in a new tab)' ) . '</span><span aria-hidden="true" class="dashicons dashicons-external"></span>',
 			'options-reading.php'
 		);
 		?>

src/wp-includes/script-loader.php

@@ -884,6 +884,9 @@ function wp_default_scripts( $scripts ) {
 	$scripts->add( 'site-icon', '/wp-admin/js/site-icon.js', array( 'jquery' ), false, 1 );
 	$scripts->set_translations( 'site-icon' );
 
+	$scripts->add( 'settings', "/wp-admin/js/settings$suffix.js", array( 'jquery', 'wp-i18n' ), false, 1 );
+	$scripts->set_translations( 'settings' );
+
 	// WordPress no longer uses or bundles Prototype or script.aculo.us. These are now pulled from an external source.
 	$scripts->add( 'prototype', 'https://ajax.googleapis.com/ajax/libs/prototype/1.7.1.0/prototype.js', array(), '1.7.1' );
 	$scripts->add( 'scriptaculous-root', 'https://ajax.googleapis.com/ajax/libs/scriptaculous/1.9.0/scriptaculous.js', array( 'prototype' ), '1.9.0' );