Skip to content

fix(core): sanitize sensitive attributes on SVG script elements#66318

Merged
kirjs merged 2 commits intoangular:mainfrom
alan-agius4:svg-script-security
Jan 6, 2026
Merged

fix(core): sanitize sensitive attributes on SVG script elements#66318
kirjs merged 2 commits intoangular:mainfrom
alan-agius4:svg-script-security

Conversation

@alan-agius4
Copy link
Contributor

@alan-agius4 alan-agius4 commented Jan 5, 2026
edited
Loading

This commit updates the DOM security schema and sanitization logic to properly recognize and sanitize href and xlink:href attributes on SVG <script> elements.

Previously, these attributes were not treated as resource URLs, which could allow for Cross-Site Scripting (XSS) if attacker-controlled values were interpolated into them.

Context: http://b/472263766

@angular-robot angular-robot bot added the area: core Issues related to the framework runtime label Jan 5, 2026
@ngbot ngbot bot added this to the Backlog milestone Jan 5, 2026
@alan-agius4 alan-agius4 added target: patch This PR is targeted for the next patch release target: minor This PR is targeted for the next minor release requires: TGP This PR requires a passing TGP before merging is allowed action: presubmit The PR is in need of a google3 presubmit and removed target: patch This PR is targeted for the next patch release requires: TGP This PR requires a passing TGP before merging is allowed labels Jan 5, 2026
@alan-agius4
Copy link
Contributor Author

alan-agius4 commented Jan 5, 2026
edited
Loading

TGP
TGP Deflake

@alan-agius4 alan-agius4 marked this pull request as ready for review January 5, 2026 13:30
@alan-agius4 alan-agius4 added the action: review The PR is still awaiting reviews from at least one requested reviewer label Jan 5, 2026
This was referenced Jan 5, 2026
Merged
Merged
Merged
@alan-agius4 alan-agius4 removed the action: presubmit The PR is in need of a google3 presubmit label Jan 5, 2026
josephperrott
josephperrott approved these changes Jan 5, 2026
View reviewed changes
Copy link
Member

@josephperrott josephperrott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Reviewed-for: fw-security

jelbourn
jelbourn reviewed Jan 5, 2026
View reviewed changes
@pullapprove pullapprove bot requested a review from jelbourn January 5, 2026 18:05
@alan-agius4
fix(core): sanitize sensitive attributes on SVG script elements
1990758 
This commit updates the DOM security schema and sanitization logic to properly recognize and sanitize `href` and `xlink:href` attributes on SVG `<script>` elements.

Previously, these attributes were not treated as resource URLs, which could allow for Cross-Site Scripting (XSS) if attacker-controlled values were interpolated into them.
@alan-agius4
fixup! fix(core): sanitize sensitive attributes on SVG script elements
c8acbf8
jelbourn
jelbourn approved these changes Jan 6, 2026
View reviewed changes
Copy link
Contributor

@jelbourn jelbourn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Reviewed-for: fw-security

@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Jan 6, 2026
@kirjs kirjs merged commit 91dc91b into angular:main Jan 6, 2026
20 checks passed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Jan 10, 2026
Open
@mend-for-github-com mend-for-github-com bot mentioned this pull request Jan 10, 2026
Open
This was referenced Jan 10, 2026
Open
Open
Open
This was referenced Jan 10, 2026
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Closed
Closed
Open
Open
Open
Open
Open
Open
Open
Open
@jit-ci jit-ci bot mentioned this pull request Feb 4, 2026
Open
@angular-automatic-lock-bot
Copy link

angular-automatic-lock-bot bot commented Feb 8, 2026

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Feb 8, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@josephperrott josephperrott josephperrott approved these changes

@AndrewKushnir AndrewKushnir AndrewKushnir approved these changes

+1 more reviewer

@jelbourn jelbourn jelbourn approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: core Issues related to the framework runtime target: minor This PR is targeted for the next minor release

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

5 participants

@alan-agius4 @kirjs @jelbourn @josephperrott @AndrewKushnir