fix(core): treat object[data] as resource URL context (#67797)

alan-agius4 · pkozlowski-opensource · commit b682c628731b · 2026-04-01T11:43:59.000+02:00
Previously, the `data` attribute of the `<object>` tag was being sanitized as a regular URL instead of a `ResourceURL`, which is security-sensitive. This commit updates the runtime sanitization logic to correctly identify `object[data]` as a `ResourceURL` context. Additionally, the sanitizer lookup logic has been refactored to use a more efficient lookup map (`RESOURCE_MAP`) instead of multiple `Set` lookups, providing better performance and maintainability. Added tests to verify the correct sanitization of `object[data]` and its behavior with trusted values. PR Close #67797
diff --git a/packages/core/src/sanitization/sanitization.ts b/packages/core/src/sanitization/sanitization.ts
@@ -214,8 +214,16 @@ export function ɵɵtrustConstantResourceUrl(url: TemplateStringsArray): Trusted
 }
 
 // Define sets outside the function for O(1) lookups and memory efficiency
-const SRC_RESOURCE_TAGS = new Set(['embed', 'frame', 'iframe', 'media', 'script']);
-const HREF_RESOURCE_TAGS = new Set(['base', 'link', 'script']);
+const RESOURCE_MAP: Record<string, Record<string, true | undefined> | undefined> = {
+  embed: {src: true},
+  frame: {src: true},
+  iframe: {src: true},
+  media: {src: true},
+  script: {src: true, href: true, 'xlink:href': true},
+  base: {href: true},
+  link: {href: true},
+  object: {data: true, codebase: true},
+};
 
 /**
  * Detects which sanitizer to use for URL property, based on tag name and prop name.
@@ -225,10 +233,7 @@ const HREF_RESOURCE_TAGS = new Set(['base', 'link', 'script']);
  * If tag and prop names don't match Resource URL schema, use URL sanitizer.
  */
 export function getUrlSanitizer(tag: string, prop: string) {
-  const isResource =
-    (prop === 'src' && SRC_RESOURCE_TAGS.has(tag)) ||
-    (prop === 'href' && HREF_RESOURCE_TAGS.has(tag)) ||
-    (prop === 'xlink:href' && tag === 'script');
+  const isResource = RESOURCE_MAP[tag]?.[prop] === true;
 
   return isResource ? ɵɵsanitizeResourceUrl : ɵɵsanitizeUrl;
 }
@@ -277,25 +282,23 @@ function getSanitizer(): Sanitizer | null {
   return lView && lView[ENVIRONMENT].sanitizer;
 }
 
-const attributeName: ReadonlySet<string> = new Set(['attributename']);
-
 /**
  * @remarks Keep this in sync with DOM Security Schema.
  * @see [SECURITY_SCHEMA](../../../compiler/src/schema/dom_security_schema.ts)
  */
-const SECURITY_SENSITIVE_ELEMENTS: Readonly<Record<string, ReadonlySet<string>>> = {
-  'iframe': new Set([
-    'sandbox',
-    'allow',
-    'allowfullscreen',
-    'referrerpolicy',
-    'csp',
-    'fetchpriority',
-  ]),
-  'animate': attributeName,
-  'set': attributeName,
-  'animatemotion': attributeName,
-  'animatetransform': attributeName,
+const SECURITY_SENSITIVE_ELEMENTS: Record<string, Record<string, true | undefined> | undefined> = {
+  iframe: {
+    sandbox: true,
+    allow: true,
+    allowfullscreen: true,
+    referrerpolicy: true,
+    csp: true,
+    fetchpriority: true,
+  },
+  animate: {attributename: true},
+  set: {attributename: true},
+  animatemotion: {attributename: true},
+  animatetransform: {attributename: true},
 };
 
 /**
@@ -312,7 +315,7 @@ export function ɵɵvalidateAttribute(
 ): unknown {
   const lowerCaseTagName = tagName.toLowerCase();
   const lowerCaseAttrName = attributeName.toLowerCase();
-  if (!SECURITY_SENSITIVE_ELEMENTS[lowerCaseTagName]?.has(lowerCaseAttrName)) {
+  if (!SECURITY_SENSITIVE_ELEMENTS[lowerCaseTagName]?.[lowerCaseAttrName]) {
     return value;
   }
 
diff --git a/packages/core/test/bundling/router/bundle.golden_symbols.json b/packages/core/test/bundling/router/bundle.golden_symbols.json
@@ -119,7 +119,6 @@
       "HEADER_OFFSET",
       "HOST",
       "HOST_ATTR",
-      "HREF_RESOURCE_TAGS",
       "HYDRATION",
       "HistoryStateManager",
       "HostAttributeToken",
@@ -240,6 +239,7 @@
       "REMOVE_STYLES_ON_COMPONENT_DESTROY_DEFAULT",
       "RENDERER",
       "REQUIRED_UNSET_VALUE",
+      "RESOURCE_MAP",
       "ROUTER_CONFIGURATION",
       "ROUTER_OUTLET_DATA",
       "ROUTER_PRELOADER",
@@ -279,7 +279,6 @@
       "SIGNAL",
       "SIGNAL_NODE",
       "SIMPLE_CHANGES_STORE",
-      "SRC_RESOURCE_TAGS",
       "STABILITY_WARNING_THRESHOLD",
       "SVG_NAMESPACE",
       "SafeSubscriber",
diff --git a/packages/core/test/sanitization/sanitization_spec.ts b/packages/core/test/sanitization/sanitization_spec.ts
@@ -137,6 +137,10 @@ describe('sanitization', () => {
     expect(() => ɵɵsanitizeUrlOrResourceUrl('javascript:true', 'iframe', 'src')).toThrowError(
       ERROR,
     );
+    expect(() => ɵɵsanitizeUrlOrResourceUrl('http://server', 'object', 'data')).toThrowError(ERROR);
+    expect(() => ɵɵsanitizeUrlOrResourceUrl('javascript:true', 'object', 'data')).toThrowError(
+      ERROR,
+    );
     expect(() =>
       ɵɵsanitizeUrlOrResourceUrl(bypassSanitizationTrustHtml('javascript:true'), 'iframe', 'src'),
     ).toThrowError(/Required a safe ResourceURL, got a HTML/);
@@ -147,6 +151,13 @@ describe('sanitization', () => {
         'src',
       ).toString(),
     ).toEqual('javascript:true');
+    expect(
+      ɵɵsanitizeUrlOrResourceUrl(
+        bypassSanitizationTrustResourceUrl('javascript:true'),
+        'object',
+        'data',
+      ).toString(),
+    ).toEqual('javascript:true');
   });
 
   it('should sanitize urls via sanitizeUrlOrResourceUrl', () => {
