fix(compiler): disallow translations of iframe src

Fixes that the compiler was allowing translations of `src` attributes in iframes which can be a security issue.
This commit is contained in:
Kristiyan Kostadinov 2026-03-12 10:12:06 +01:00 committed by Matthew Beck (Berry)
parent 626bc8bc20
commit 02fbf08890
2 changed files with 3 additions and 1 deletions

View file

@ -11,7 +11,7 @@
* tags use '*'.
*
* Extracted from, and should be kept in sync with
* https://w3c.github.io/webappsec-trusted-types/dist/spec/#integrations
* https://www.w3.org/TR/trusted-types/#integrations
*/
const TRUSTED_TYPES_SINKS = new Set<string>([
// NOTE: All strings in this set *must* be lowercase!
@ -25,6 +25,7 @@ const TRUSTED_TYPES_SINKS = new Set<string>([
// TrustedScriptURL
'embed|src',
'iframe|src',
'object|codebase',
'object|data',
]);

View file

@ -13,6 +13,7 @@ describe('isTrustedTypesSink', () => {
expect(isTrustedTypesSink('iframe', 'srcdoc')).toBeTrue();
expect(isTrustedTypesSink('p', 'innerHTML')).toBeTrue();
expect(isTrustedTypesSink('embed', 'src')).toBeTrue();
expect(isTrustedTypesSink('iframe', 'src')).toBeTrue();
expect(isTrustedTypesSink('a', 'href')).toBeFalse();
expect(isTrustedTypesSink('base', 'href')).toBeFalse();
expect(isTrustedTypesSink('div', 'style')).toBeFalse();