Skip to content

fix(compiler): strip namespaced SVG script elements during template compilation#68689

Open
alan-agius4 wants to merge 1 commit into
angular:mainfrom
alan-agius4:svg-script
Open

fix(compiler): strip namespaced SVG script elements during template compilation#68689
alan-agius4 wants to merge 1 commit into
angular:mainfrom
alan-agius4:svg-script

Conversation

@alan-agius4
Copy link
Copy Markdown
Contributor

@alan-agius4 alan-agius4 commented May 12, 2026

Ensures that namespaced <script> elements (such as :svg:script) are correctly classified as PreparsedElementType.SCRIPT by the template preparser and stripped during compilation to prevent potential XSS vulnerabilities. Consequently, obsolete security schema mappings and runtime sanitization checks for <script> attributes have been removed since these elements are never present in compiled template outputs.

Also corrects a truthiness evaluation bug in the runtime sanitization unit tests.

Closes #68642

@alan-agius4 alan-agius4 added the action: review The PR is still awaiting reviews from at least one requested reviewer label May 12, 2026
@alan-agius4 alan-agius4 marked this pull request as ready for review May 12, 2026 11:38
@angular-robot angular-robot Bot added the area: compiler Issues related to `ngc`, Angular's template compiler label May 12, 2026
@ngbot ngbot Bot added this to the Backlog milestone May 12, 2026
@pullapprove pullapprove Bot requested a review from josephperrott May 12, 2026 11:38
@alan-agius4 alan-agius4 added the target: patch This PR is targeted for the next patch release label May 12, 2026
@alan-agius4 alan-agius4 force-pushed the svg-script branch 3 times, most recently from 2217103 to 82cdc6c Compare May 12, 2026 12:48
@alan-agius4
fix(compiler): strip namespaced SVG script elements during template c…
ff91288 
…ompilation

Ensures that namespaced <script> elements (such as :svg:script) are correctly classified as PreparsedElementType.SCRIPT by the template preparser and stripped during compilation to prevent potential XSS vulnerabilities. Consequently, obsolete security schema mappings and runtime sanitization checks for <script> attributes have been removed since these elements are never present in compiled template outputs.

Also corrects a truthiness evaluation bug in the runtime sanitization unit tests.

Closes angular#68642
josephperrott
josephperrott approved these changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@josephperrott josephperrott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Reviewed-for: fw-security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@josephperrott josephperrott josephperrott approved these changes

@AndrewKushnir AndrewKushnir AndrewKushnir approved these changes

@dgp1130 dgp1130 Awaiting requested review from dgp1130

Assignees

No one assigned

Labels

action: review The PR is still awaiting reviews from at least one requested reviewer area: compiler Issues related to `ngc`, Angular's template compiler target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

SVG <script> and [innerHTML]/[textContent] text can execute in Angular templates

3 participants

@alan-agius4 @josephperrott @AndrewKushnir