[attr.X] binding bypasses URL sanitizer for SVG use/image/feImage, media audio/source/track, video poster, legacy background attrs, img srcset. Related: CVE-2026-22610, CVE-2026-27970, CVE-2026-32635.
[attr.X] binding bypasses URL sanitizer for SVG use/image/feImage, media audio/source/track, video poster, legacy background attrs, img srcset. Related: CVE-2026-22610, CVE-2026-27970, CVE-2026-32635.