Skip to content

fix: validate xlink:href and fix data:text/html prefix check in sanitizer#491

Merged
farnabaz merged 3 commits into
nuxt-content:mainfrom
farnabaz01:fix/sanitizer-bypass
Jun 21, 2026
Merged

fix: validate xlink:href and fix data:text/html prefix check in sanitizer#491
farnabaz merged 3 commits into
nuxt-content:mainfrom
farnabaz01:fix/sanitizer-bypass

Conversation

@farnabaz01

Copy link
Copy Markdown
Contributor

Two bypasses in the HTML sanitizer:

  1. SVG xlink:href not validated - xlinkhref was not checked like href/src in validateProp
  2. data:text/html deny-list entries were dead code - compared against url.protocol which is always data: for data URIs

Fixed: check xlinkhref in validateProp, compare url.href instead of url.protocol.

All 54 existing tests pass. Added 4 new regression tests.

Ahad Birang added 2 commits June 21, 2026 17:53
…rl.href

- Add xlinkhref to validateProp href/src check so SVG anchor
  xlink:href attributes are validated (CVE sibling of href=javascript:)
- Change isAnchorLinkAllowed to compare unsafeLinkPrefix against
  url.href instead of url.protocol so data:text/html entries in the
  deny-list are actually matched instead of being dead code
  (protocol is only "data:" for any data URI)
@farnabaz01

farnabaz01 commented Jun 21, 2026

Copy link
Copy Markdown
Contributor Author

Waiting for @farnabaz review.

@farnabaz farnabaz left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@pkg-pr-new

pkg-pr-new Bot commented Jun 21, 2026

Copy link
Copy Markdown
npm i https://pkg.pr.new/@nuxtjs/mdc@491

commit: 6db6501

@farnabaz01 farnabaz01 force-pushed the fix/sanitizer-bypass branch from e70d432 to 880caba Compare June 21, 2026 18:41
@farnabaz farnabaz merged commit 61d636c into nuxt-content:main Jun 21, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants