Skip to content

Security: i18n attribute binding bypasses RESOURCE_URL sanitizer (incomplete CVE-2026-32635 fix) #69163

Closed as not planned
Closed as not planned
Security: i18n attribute binding bypasses RESOURCE_URL sanitizer (incomplete CVE-2026-32635 fix)#69163
Labels
area: securityIssues related to built-in security features, such as HTML sanitationgemini-triagedLabel noting that an issue has been triaged by gemini
Milestone
needsTriage
@fg0x0

Description

@fg0x0
fg0x0
opened on Jun 4, 2026

TRUSTED_TYPES_SINKS missing base|href, link|href, frame|src. Compiler accepts i18n bindings on these while [href] binding throws NG0904.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: securityIssues related to built-in security features, such as HTML sanitationgemini-triagedLabel noting that an issue has been triaged by gemini

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions