From b3b770f74efaad0993bffef8633f5339006d4259 Mon Sep 17 00:00:00 2001
From: Joel Drapper <joel@drapper.me>
Date: Tue, 29 Oct 2024 21:43:55 +0000
Subject: [PATCH] Detect invalid href attributes

---
 lib/phlex/sgml.rb                 | 13 ++++++++++---
 quickdraw/sgml/attributes.test.rb |  8 ++++++++
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/lib/phlex/sgml.rb b/lib/phlex/sgml.rb
index 4d686171..c6806dd5 100644
--- a/lib/phlex/sgml.rb
+++ b/lib/phlex/sgml.rb
@@ -401,9 +401,16 @@ def __attributes__(attributes, buffer = +"")
 			unless Phlex::SGML::SafeObject === v
 				normalized_name = lower_name.delete("^a-z-")
 
-				if value != true && REF_ATTRIBUTES.include?(normalized_name) && value.downcase.delete("^a-z:").start_with?("javascript:")
-					# We just ignore these because they were likely not specified by the developer.
-					next
+				if value != true && REF_ATTRIBUTES.include?(normalized_name)
+					case value
+					when String
+						if value.downcase.delete("^a-z:").start_with?("javascript:")
+							# We just ignore these because they were likely not specified by the developer.
+							next
+						end
+					else
+						raise Phlex::ArgumentError.new("Invalid attribute value for #{k}: #{v.inspect}.")
+					end
 				end
 
 				if normalized_name.bytesize > 2 && normalized_name.start_with?("on") && !normalized_name.include?("-")
diff --git a/quickdraw/sgml/attributes.test.rb b/quickdraw/sgml/attributes.test.rb
index e96040c7..6af6da6f 100644
--- a/quickdraw/sgml/attributes.test.rb
+++ b/quickdraw/sgml/attributes.test.rb
@@ -26,6 +26,14 @@
 	end
 end
 
+test "href with hash" do
+	expect {
+		phlex { a(href: {}) }
+	}.to_raise(Phlex::ArgumentError) do |error|
+		expect(error.message) == "Invalid attribute value for href: #{{}.inspect}."
+	end
+end
+
 test "unsafe href attribute" do
 	expect(
 		phlex { div(href: "javascript:alert('hello')") },