mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
e84e35cdd6
SVG animation elements (`animate` and `set`) can be used to animate sensitive attributes like `href` or `xlink:href`. Binding to these animation attributes (like `to`, `from`, or `values`) with a sensitive target creates an XSS vector. This change mitigates this risk by: 1. Classifying `to`, `from`, and `values` on `<animate>` and `<set>` elements as `ATTRIBUTE_NO_BINDING` in the DOM security schema to prevent standard dynamic bindings. 2. Adding runtime validations in `ɵɵvalidateAttribute` to verify that `attributeName` is not a sensitive attribute (such as `href` or `xlink:href`) when processed by a set of `SECURITY_SENSITIVE_ATTRIBUTE_NAMES`. If it is, a runtime error `UNSAFE_ATTRIBUTE_BINDING` is thrown. 3. Adding regression tests in `integration_spec.ts` to ensure unsafe bindings throw an error while safe ones pass correctly. PR Close #67797 |
||
|---|---|---|
| .. | ||
| design | ||
| src | ||
| test | ||
| BUILD.bazel | ||
| compiler.ts | ||
| index.ts | ||
| package.json | ||
| public_api.ts | ||