fix(compiler): sanitize href/xlink:href attributes of any element…#69191
Draft
JeanMeche wants to merge 1 commit into
Draft
fix(compiler): sanitize href/xlink:href attributes of any element…#69191JeanMeche wants to merge 1 commit into
href/xlink:href attributes of any element…#69191JeanMeche wants to merge 1 commit into
Conversation
fcba6aa to
5e9e889
Compare
… of the MathML namespace The ensures that future, present and past (and precated) elements of that namespace get sanitized.
5e9e889 to
9ce049a
Compare
alan-agius4
reviewed
Jun 5, 2026
|
|
||
| const normalizedTag = normalizeTagName(tagName); | ||
| propName = propName.toLowerCase(); | ||
| let nsWildcardTag: string | undefined; |
Contributor
There was a problem hiding this comment.
We already have a function to get the namespace normalizeTagName. Also in this case maybe do not use normalizeTagName to avoid combining the namespace and splitting it multiple times.
alan-agius4
reviewed
Jun 5, 2026
| nsWildcardTag = `${normalizedTag.slice(0, lastColonIndex + 1)}*`; | ||
| } | ||
|
|
||
| const securitySchema = SECURITY_SCHEMA(); |
Contributor
There was a problem hiding this comment.
This logic should probably be moved into a function in dom_security_schema.ts.
This is because the same logic in also present in i18n_parser and they should be kept in sync with a shared function it's easier to avoid updating one place and not the other.
Something like
getSecurityContextFromSchema(tagName, attributeName, namespace): SecurityContext
alan-agius4
reviewed
Jun 5, 2026
| ['semantics', ['href', 'xlink:href']], | ||
| ['none', ['href', 'xlink:href']], | ||
| ]); | ||
| registerContext(SecurityContext.URL, MATH_ML_NAMESPACE, [['*', ['href', 'xlink:href']]]); |
Contributor
There was a problem hiding this comment.
NIT: can you leave the previous comment (Personally it's quite useful to check every now and than)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
… of the MathML namespace
The ensures that future, present and past (and precated) elements of that namespace get sanitized.