Backport 68591 21.2.x#68925
Closed
alan-agius4 wants to merge 8 commits into
Closed
Conversation
…time i18n attribute validation Updates `DomElementSchemaRegistry` to strip `:svg:` and `:math:` namespace prefixes from tag names before querying `SECURITY_SCHEMA` at compile-time. This allows SVG and MathML attributes to correctly match their security contexts during compilation.
… elements Dynamic bindings to `href` and `xlink:href` attributes on SVG `<a>` elements (`<svg:a>`) were previously unmapped in the DOM security schema. As a result, they bypassed sanitization completely, creating a potential XSS vulnerability if bound to untrusted user inputs (e.g., `javascript:` URLs). This fix mitigates this risk by: 1. Registering `href` and `xlink:href` on `<svg:a>` elements under the `SecurityContext.URL` context in both the compiler and core DOM security schemas. 2. Enabling template compilation to output runtime URL sanitization checks (`ɵɵsanitizeUrl`) on these attributes. 3. Adding regression and verification test cases to ensure dynamic SVG link bindings are safely sanitized at runtime while static values are correctly allowed.
…ntSchemaRegistry Custom XML/XHTML namespaced elements (e.g., <xhtml:a>) fall back to the standard HTML namespace during element creation at compile-time/runtime. However, their property and security context lookups inside the schema registry were incorrectly performed using the full namespaced tag name (e.g., :xhtml:a), which bypassed the default a|href sanitization registry and incorrectly returned SecurityContext.NONE instead of SecurityContext.URL. This commit introduces tag name normalization inside DomElementSchemaRegistry for custom namespaces (other than the built-in svg and math namespaces). Custom namespaced tag names are now normalized to their simple HTML element counterparts for all registry queries, ensuring that correct property schema validation and dynamic security sanitization rules (such as URL sanitization) are enforced at runtime.
…text lookup Normalize namespaced tag names (e.g., :xhtml:a to a) inside i18nResolveSanitizer before looking up their security context. This ensures custom namespaced tag attributes undergo correct translation sanitization at runtime.
…ity context lookup
…ompilation Ensures that namespaced <script> elements (such as :svg:script) are correctly classified as PreparsedElementType.SCRIPT by the template preparser and stripped during compilation to prevent potential XSS vulnerabilities. Consequently, obsolete security schema mappings and runtime sanitization checks for <script> attributes have been removed since these elements are never present in compiled template outputs.
Synchronizes the core's copy of the DOM security schema with the compiler-side schema definitions.
Removes the `should throw error on translated SVG script ResourceURL attributes` integration test from `security_integration_spec.ts`. This test is now obsolete because SVG `<script>` elements are stripped during template compilation (implemented in 90494cd). As a result, they are no longer present in the compiled template to trigger runtime sanitization, causing this test (which expected a sanitization error to be thrown) to fail.
AndrewKushnir
approved these changes
May 26, 2026
josephperrott
approved these changes
May 27, 2026
Member
josephperrott
left a comment
There was a problem hiding this comment.
LGTM
Reviewed-for: fw-security
Member
|
This PR was merged into the repository. The changes were merged into the following branches:
|
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
…time i18n attribute validation (#68925) Updates `DomElementSchemaRegistry` to strip `:svg:` and `:math:` namespace prefixes from tag names before querying `SECURITY_SCHEMA` at compile-time. This allows SVG and MathML attributes to correctly match their security contexts during compilation. PR Close #68925
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
… elements (#68925) Dynamic bindings to `href` and `xlink:href` attributes on SVG `<a>` elements (`<svg:a>`) were previously unmapped in the DOM security schema. As a result, they bypassed sanitization completely, creating a potential XSS vulnerability if bound to untrusted user inputs (e.g., `javascript:` URLs). This fix mitigates this risk by: 1. Registering `href` and `xlink:href` on `<svg:a>` elements under the `SecurityContext.URL` context in both the compiler and core DOM security schemas. 2. Enabling template compilation to output runtime URL sanitization checks (`ɵɵsanitizeUrl`) on these attributes. 3. Adding regression and verification test cases to ensure dynamic SVG link bindings are safely sanitized at runtime while static values are correctly allowed. PR Close #68925
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
…ntSchemaRegistry (#68925) Custom XML/XHTML namespaced elements (e.g., <xhtml:a>) fall back to the standard HTML namespace during element creation at compile-time/runtime. However, their property and security context lookups inside the schema registry were incorrectly performed using the full namespaced tag name (e.g., :xhtml:a), which bypassed the default a|href sanitization registry and incorrectly returned SecurityContext.NONE instead of SecurityContext.URL. This commit introduces tag name normalization inside DomElementSchemaRegistry for custom namespaces (other than the built-in svg and math namespaces). Custom namespaced tag names are now normalized to their simple HTML element counterparts for all registry queries, ensuring that correct property schema validation and dynamic security sanitization rules (such as URL sanitization) are enforced at runtime. PR Close #68925
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
…ompilation (#68925) Ensures that namespaced <script> elements (such as :svg:script) are correctly classified as PreparsedElementType.SCRIPT by the template preparser and stripped during compilation to prevent potential XSS vulnerabilities. Consequently, obsolete security schema mappings and runtime sanitization checks for <script> attributes have been removed since these elements are never present in compiled template outputs. PR Close #68925
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
Synchronizes the core's copy of the DOM security schema with the compiler-side schema definitions. PR Close #68925
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
…68925) Removes the `should throw error on translated SVG script ResourceURL attributes` integration test from `security_integration_spec.ts`. This test is now obsolete because SVG `<script>` elements are stripped during template compilation (implemented in 90494cd). As a result, they are no longer present in the compiled template to trigger runtime sanitization, causing this test (which expected a sanitization error to be thrown) to fail. PR Close #68925
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Several backports