Skip to content

fix(core): sanitize anchor protocol bindings#69219

Open
SkyZeroZx wants to merge 1 commit into
angular:mainfrom
SkyZeroZx:fix/anchor-area-protocol
Open

fix(core): sanitize anchor protocol bindings#69219
SkyZeroZx wants to merge 1 commit into
angular:mainfrom
SkyZeroZx:fix/anchor-area-protocol

Conversation

@SkyZeroZx

@SkyZeroZx SkyZeroZx commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Treat protocol property bindings on <a> and <area> as URL contexts.

This prevents a sanitized href from being re-schemed into an executable
javascript: URL by a later protocol property write.

See https://developer.mozilla.org/en-US/docs/Web/API/HTMLAnchorElement/protocol
More context https://issuetracker.google.com/u/1/issues/520794065

@angular-robot angular-robot Bot added the area: core Issues related to the framework runtime label Jun 7, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 7, 2026
@SkyZeroZx SkyZeroZx marked this pull request as ready for review June 7, 2026 23:10
@SkyZeroZx
fix(core): sanitize anchor protocol bindings
00a7f6f 
Treat `protocol` property bindings on `<a>` and `<area>` as URL contexts.

This prevents a sanitized `href` from being re-schemed into an executable
`javascript:` URL by a later protocol property write.
@SkyZeroZx SkyZeroZx force-pushed the fix/anchor-area-protocol branch from 915e1ae to 00a7f6f Compare June 8, 2026 00:17
@SkyZeroZx SkyZeroZx changed the title fix(core): sanitize anchor URL component bindings fix(core): sanitize anchor protocol bindings Jun 8, 2026
alan-agius4
alan-agius4 requested changes Jun 8, 2026
View reviewed changes

@alan-agius4 alan-agius4 left a comment
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not entirely sure this is the right fix. The root issue might lies in the schema itself: https://github.com/angular/angular/blob/255151a41349c519728651739412dbd0f6138e13/packages/compiler/src/schema/dom_element_schema_registry.ts%23L99-L100

Setting protocol directly on element isn't really valid. We should dig a bit deeper into why this was originally introduced, as there are a few other invalid properties listed there as well.

Let me check with the team to see if this is by design.

@pullapprove pullapprove Bot requested a review from alan-agius4 June 8, 2026 07:30
@alan-agius4 alan-agius4 self-assigned this Jun 8, 2026
@SkyZeroZx

SkyZeroZx commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Setting protocol directly on element isn't really valid. We should dig a bit deeper into why this was originally introduced, as there are a few other invalid properties listed there as well.

So, the solution might be to use ATTRIBUTE_NO_BINDING, similar to how we currently handle iframe attributes, as in this PR #69202?

@alan-agius4

alan-agius4 commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

@SkyZeroZx, no the solution would be to remove the non standard properties from the known elements schema. But this still need to discussed internally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crisbeto crisbeto Awaiting requested review from crisbeto

@josephperrott josephperrott Awaiting requested review from josephperrott

@alan-agius4 alan-agius4 Awaiting requested review from alan-agius4

Assignees

@alan-agius4 alan-agius4

Labels

area: core Issues related to the framework runtime

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

2 participants

@SkyZeroZx @alan-agius4