TrustedTypes: SVGAnimatedString.baseVal by hamishwillee · Pull Request #42502 · mdn/content

hamishwillee · 2025-12-23T03:20:55Z

The SVGAnimatedString can represent the base and animated values of various elements in SVG.

In the context of SVGScriptElement.href it can be used to set the baseVal of the script. This is an injection sink.

Technically right place for all the information is SVGAnimatedString.baseVal since that defines the property, but that can be used to reflect numerous attributes, and only one is a problem case. So what I have done is put TT info in the SVGScriptElement.href. For SVGAnimatedString.baseVal I have put the disclaimer and explanation, but I link to the other doc for security considerations and the example.

Related docs work tracked in #41507

files/en-us/web/api/htmlscriptelement/src/index.md

github-actions · 2025-12-23T03:22:20Z

Preview URLs

(comment last updated: 2025-12-23 05:59:14)

files/en-us/web/api/svganimatedstring/baseval/index.md

files/en-us/web/api/svgscriptelement/href/index.md

Co-authored-by: sideshowbarker <mike@w3.org>

hamishwillee · 2025-12-23T05:58:09Z

Thanks for the review @sideshowbarker !

TrustedTypes: SVGAnimatedString.baseVal

bda9f24

hamishwillee requested a review from a team as a code owner December 23, 2025 03:20

hamishwillee requested review from sideshowbarker and removed request for a team December 23, 2025 03:20

github-actions bot added Content:WebAPI Web API docs size/m [PR only] 51-500 LoC changed labels Dec 23, 2025

hamishwillee commented Dec 23, 2025

View reviewed changes

files/en-us/web/api/htmlscriptelement/src/index.md Show resolved Hide resolved

hamishwillee mentioned this pull request Dec 23, 2025

[WebAPI] Enable Trusted Types in early beta #41507

Closed

8 tasks

hamishwillee mentioned this pull request Dec 23, 2025

[WebAPI] Implement Trusted Types support for document.write()/document.writeln() #37518

Closed

34 tasks