From 02fbf08890ec6ac2efb6c2ec4f17e56497cb81d2 Mon Sep 17 00:00:00 2001 From: Kristiyan Kostadinov Date: Thu, 12 Mar 2026 10:12:06 +0100 Subject: [PATCH] fix(compiler): disallow translations of iframe src Fixes that the compiler was allowing translations of `src` attributes in iframes which can be a security issue. --- packages/compiler/src/schema/trusted_types_sinks.ts | 3 ++- packages/compiler/test/schema/trusted_types_sinks_spec.ts | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/compiler/src/schema/trusted_types_sinks.ts b/packages/compiler/src/schema/trusted_types_sinks.ts index 49d03aa7fab..0d69ccee47f 100644 --- a/packages/compiler/src/schema/trusted_types_sinks.ts +++ b/packages/compiler/src/schema/trusted_types_sinks.ts @@ -11,7 +11,7 @@ * tags use '*'. * * Extracted from, and should be kept in sync with - * https://w3c.github.io/webappsec-trusted-types/dist/spec/#integrations + * https://www.w3.org/TR/trusted-types/#integrations */ const TRUSTED_TYPES_SINKS = new Set([ // NOTE: All strings in this set *must* be lowercase! @@ -25,6 +25,7 @@ const TRUSTED_TYPES_SINKS = new Set([ // TrustedScriptURL 'embed|src', + 'iframe|src', 'object|codebase', 'object|data', ]); diff --git a/packages/compiler/test/schema/trusted_types_sinks_spec.ts b/packages/compiler/test/schema/trusted_types_sinks_spec.ts index d6f8dc96be3..dca36afa89a 100644 --- a/packages/compiler/test/schema/trusted_types_sinks_spec.ts +++ b/packages/compiler/test/schema/trusted_types_sinks_spec.ts @@ -13,6 +13,7 @@ describe('isTrustedTypesSink', () => { expect(isTrustedTypesSink('iframe', 'srcdoc')).toBeTrue(); expect(isTrustedTypesSink('p', 'innerHTML')).toBeTrue(); expect(isTrustedTypesSink('embed', 'src')).toBeTrue(); + expect(isTrustedTypesSink('iframe', 'src')).toBeTrue(); expect(isTrustedTypesSink('a', 'href')).toBeFalse(); expect(isTrustedTypesSink('base', 'href')).toBeFalse(); expect(isTrustedTypesSink('div', 'style')).toBeFalse();