fix(compiler): sanitize dynamic href and xlink:href bindings on SVG a…#68868
Open
alan-agius4 wants to merge 2 commits into
Open
fix(compiler): sanitize dynamic href and xlink:href bindings on SVG a…#68868alan-agius4 wants to merge 2 commits into
alan-agius4 wants to merge 2 commits into
Conversation
… elements Dynamic bindings to `href` and `xlink:href` attributes on SVG `<a>` elements (`<svg:a>`) were previously unmapped in the DOM security schema. As a result, they bypassed sanitization completely, creating a potential XSS vulnerability if bound to untrusted user inputs (e.g., `javascript:` URLs). This fix mitigates this risk by: 1. Registering `href` and `xlink:href` on `<svg:a>` elements under the `SecurityContext.URL` context in both the compiler and core DOM security schemas. 2. Enabling template compilation to output runtime URL sanitization checks (`ɵɵsanitizeUrl`) on these attributes. 3. Adding regression and verification test cases to ensure dynamic SVG link bindings are safely sanitized at runtime while static values are correctly allowed.
AndrewKushnir
approved these changes
May 22, 2026
…ntSchemaRegistry Custom XML/XHTML namespaced elements (e.g., <xhtml:a>) fall back to the standard HTML namespace during element creation at compile-time/runtime. However, their property and security context lookups inside the schema registry were incorrectly performed using the full namespaced tag name (e.g., :xhtml:a), which bypassed the default a|href sanitization registry and incorrectly returned SecurityContext.NONE instead of SecurityContext.URL. This commit introduces tag name normalization inside DomElementSchemaRegistry for custom namespaces (other than the built-in svg and math namespaces). Custom namespaced tag names are now normalized to their simple HTML element counterparts for all registry queries, ensuring that correct property schema validation and dynamic security sanitization rules (such as URL sanitization) are enforced at runtime.
AndrewKushnir
approved these changes
May 22, 2026
Contributor
AndrewKushnir
left a comment
There was a problem hiding this comment.
@alan-agius4 thanks for the improvement! I've left a comment with a proposed refactoring, but please don't treat it as blocking.
|
|
||
| const colonIdx = tagName.indexOf(':'); | ||
| if (colonIdx > 0) { | ||
| const ns = tagName.substring(0, colonIdx); |
Contributor
There was a problem hiding this comment.
The logic in this part of the function looks very similar to what's happening inside of the splitNsName helper, can we reconcile the logic and have better handling inside of splitNsName? In this case, this whole function may look like this (ask splitNsName to split into logical pieces and normalize for svg/mathml namespaces):
function normalizeTagName(tagName: string): string {
const [ns, name] = splitNsName(tagName, false);
return ns === SVG_NAMESPACE || ns === MATH_ML_NAMESPACE ? `:${ns}:${name}` : name;
}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
… elements
Dynamic bindings to
hrefandxlink:hrefattributes on SVG<a>elements (<svg:a>) were previously unmapped in the DOM security schema. As a result, they bypassed sanitization completely, creating a potential XSS vulnerability if bound to untrusted user inputs (e.g.,javascript:URLs).This fix mitigates this risk by:
Registering
hrefandxlink:hrefon<svg:a>elements under theSecurityContext.URLcontext in both the compiler and core DOM security schemas.Enabling template compilation to output runtime URL sanitization checks (
ɵɵsanitizeUrl) on these attributes.Adding regression and verification test cases to ensure dynamic SVG link bindings are safely sanitized at runtime while static values are correctly allowed.