Skip to content

Commit ee480bd

Browse files
dominikgdominikg
authored
[fix] only read static value for rel attribute validation (#8003)
fixes #7994
1 parent ea219f4 commit ee480bd

File tree

2 files changed

+15
-12
lines changed

2 files changed

+15
-12
lines changed

src/compiler/compile/nodes/Element.ts

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -620,17 +620,18 @@ export default class Element extends Node {
620620

621621
if (href_static_value === null || href_static_value.match(/^(https?:)?\/\//i)) {
622622
const rel = attribute_map.get('rel');
623-
const rel_values = rel ? rel.get_static_value().split(' ') : [];
624-
const expected_values = ['noreferrer'];
625-
626-
expected_values.forEach(expected_value => {
627-
if (!rel || rel && rel_values.indexOf(expected_value) < 0) {
628-
component.warn(this, {
629-
code: `security-anchor-rel-${expected_value}`,
630-
message: `Security: Anchor with "target=_blank" should have rel attribute containing the value "${expected_value}"`
631-
});
632-
}
633-
});
623+
if (rel == null || rel.is_static) {
624+
const rel_values = rel ? rel.get_static_value().split(' ') : [];
625+
const expected_values = ['noreferrer'];
626+
expected_values.forEach(expected_value => {
627+
if (!rel || rel && rel_values.indexOf(expected_value) < 0) {
628+
component.warn(this, {
629+
code: `security-anchor-rel-${expected_value}`,
630+
message: `Security: Anchor with "target=_blank" should have rel attribute containing the value "${expected_value}"`
631+
});
632+
}
633+
});
634+
}
634635
}
635636
}
636637

test/validator/samples/security-anchor-rel-noreferrer/input.svelte

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,4 +28,6 @@
2828
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
2929
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
3030
<a href="//svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
31-
<a href="//svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
31+
<a href="//svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
32+
<!-- dynamic rel value should not warn-->
33+
<a href="//svelte.dev" target="_blank" rel={`${Math.random()}`}>svelte website (valid)</a>

0 commit comments

Comments
 (0)