Skip to content

Commit

Permalink
[fix] only read static value for rel attribute validation (#8003)
Browse files Browse the repository at this point in the history
fixes #7994
  • Loading branch information
dominikg authored Nov 10, 2022
1 parent ea219f4 commit ee480bd
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 12 deletions.
23 changes: 12 additions & 11 deletions src/compiler/compile/nodes/Element.ts
Original file line number Diff line number Diff line change
Expand Up @@ -620,17 +620,18 @@ export default class Element extends Node {

if (href_static_value === null || href_static_value.match(/^(https?:)?\/\//i)) {
const rel = attribute_map.get('rel');
const rel_values = rel ? rel.get_static_value().split(' ') : [];
const expected_values = ['noreferrer'];

expected_values.forEach(expected_value => {
if (!rel || rel && rel_values.indexOf(expected_value) < 0) {
component.warn(this, {
code: `security-anchor-rel-${expected_value}`,
message: `Security: Anchor with "target=_blank" should have rel attribute containing the value "${expected_value}"`
});
}
});
if (rel == null || rel.is_static) {
const rel_values = rel ? rel.get_static_value().split(' ') : [];
const expected_values = ['noreferrer'];
expected_values.forEach(expected_value => {
if (!rel || rel && rel_values.indexOf(expected_value) < 0) {
component.warn(this, {
code: `security-anchor-rel-${expected_value}`,
message: `Security: Anchor with "target=_blank" should have rel attribute containing the value "${expected_value}"`
});
}
});
}
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,6 @@
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<a href="//svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
<a href="//svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<a href="//svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<!-- dynamic rel value should not warn-->
<a href="//svelte.dev" target="_blank" rel={`${Math.random()}`}>svelte website (valid)</a>

0 comments on commit ee480bd

Please sign in to comment.