From 5ab76dc11d106d570c274cc8ae5ff92254966523 Mon Sep 17 00:00:00 2001
From: Joshua Provoste <8358462+JoshuaProvoste@users.noreply.github.com>
Date: Thu, 2 Apr 2026 17:34:57 -0300
Subject: [PATCH] Security: Mitigate DOM-based XSS in resolveUrl and
 inner-h-t-m-l bindings

---
 lib/mixins/property-effects.js |   3 +
 lib/utils/resolve-url.js       |   5 ++
 test/unit/security.html        | 103 +++++++++++++++++++++++++++++++++
 3 files changed, 111 insertions(+)
 create mode 100644 test/unit/security.html

diff --git a/lib/mixins/property-effects.js b/lib/mixins/property-effects.js
index 077c0064e6..3277be72a7 100644
--- a/lib/mixins/property-effects.js
+++ b/lib/mixins/property-effects.js
@@ -807,6 +807,9 @@ function applyBindingValue(inst, node, binding, part, value) {
   value = computeBindingValue(node, value, binding, part);
   if (sanitizeDOMValue) {
     value = sanitizeDOMValue(value, binding.target, binding.kind, node);
+  } else if ((binding.target === 'inner-h-t-m-l' || binding.target === 'innerHTML') && typeof value === 'string') {
+    value = value.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
+    value = value.replace(/on\w+\s*=/gi, 'sanitized-');
   }
   if (binding.kind == 'attribute') {
     // Attribute binding
diff --git a/lib/utils/resolve-url.js b/lib/utils/resolve-url.js
index 5dd89cbcf2..5563fb959f 100644
--- a/lib/utils/resolve-url.js
+++ b/lib/utils/resolve-url.js
@@ -26,6 +26,11 @@ let resolveDoc;
  */
 export function resolveUrl(url, baseURI) {
   if (url && ABS_URL.test(url)) {
+    const protocol = (url.split(':')[0] || '').toLowerCase();
+    const unsafeProtocols = ['javascript', 'data', 'vbscript'];
+    if (unsafeProtocols.includes(protocol)) {
+      return 'about:blank';
+    }
     return url;
   }
   if (url === '//') {
diff --git a/test/unit/security.html b/test/unit/security.html
new file mode 100644
index 0000000000..0a0259843c
--- /dev/null
+++ b/test/unit/security.html
@@ -0,0 +1,103 @@
+<!doctype html>
+<!--
+@license
+Copyright (c) 2017 The Polymer Project Authors. All rights reserved.
+This code may only be used under the BSD style license found at http://polymer.github.io/LICENSE.txt
+The complete set of authors may be found at http://polymer.github.io/AUTHORS.txt
+The complete set of contributors may be found at http://polymer.github.io/CONTRIBUTORS.txt
+Code distributed by Google as part of the polymer project is also
+subject to an additional IP rights grant found at http://polymer.github.io/PATENTS.txt
+-->
+<html>
+<head>
+  <meta charset="utf-8">
+  <script src="../../node_modules/@webcomponents/webcomponentsjs/webcomponents-bundle.js"></script>
+  <script src="wct-browser-config.js"></script>
+  <script src="../../node_modules/wct-browser-legacy/browser.js"></script>
+</head>
+<body>
+
+  <dom-module id="xss-element">
+    <template>
+      <div id="target" inner-h-t-m-l="[[payload]]"></div>
+    </template>
+    <script type="module">
+      import { PolymerElement } from '../../polymer-element.js';
+      class XssElement extends PolymerElement {
+        static get is() { return 'xss-element'; }
+        static get properties() {
+          return {
+            payload: String
+          };
+        }
+      }
+      customElements.define(XssElement.is, XssElement);
+    </script>
+  </dom-module>
+
+  <script type="module">
+    import { resolveUrl } from '../../lib/utils/resolve-url.js';
+
+    suite('Security: XSS Vulnerability Tests', function() {
+
+      suite('resolveUrl protocol bypass', function() {
+        
+        test('resolveUrl should not allow javascript: protocol', function() {
+          const payload = 'javascript:alert(1)';
+          const resolved = resolveUrl(payload);
+          // Currently, it returns it as-is because it matches ABS_URL regex
+          // Fix should return 'about:blank' or sanitize it.
+          assert.notEqual(resolved, payload, 'Should not return javascript: protocol as-is');
+        });
+
+        test('resolveUrl should not allow data: protocol', function() {
+          const payload = 'data:text/html,<script>alert(1)</' + 'script>';
+          const resolved = resolveUrl(payload);
+          assert.notEqual(resolved, payload, 'Should not return data: protocol as-is');
+        });
+
+        test('resolveUrl should allow http: protocol', function() {
+          const payload = 'http://example.com';
+          const resolved = resolveUrl(payload);
+          assert.equal(resolved, payload);
+        });
+
+        test('resolveUrl should allow https: protocol', function() {
+          const payload = 'https://example.com';
+          const resolved = resolveUrl(payload);
+          assert.equal(resolved, payload);
+        });
+
+      });
+
+      suite('inner-h-t-m-l binding injection', function() {
+        let el;
+
+        setup(function() {
+          el = document.createElement('xss-element');
+          document.body.appendChild(el);
+        });
+
+        teardown(function() {
+          document.body.removeChild(el);
+        });
+
+        test('inner-h-t-m-l binding should be sanitized by default', function() {
+          const payload = '<img src=x onerror=window.__xss_triggered=true>';
+          window.__xss_triggered = false;
+          
+          el.payload = payload;
+          
+          // We check if the payload was inserted as-is
+          // In a secure system, the onerror or the whole tag should be sanitized
+          const innerHTML = el.$.target.innerHTML;
+          assert.notInclude(innerHTML, 'onerror', 'Should not include event handlers in inner-h-t-m-l');
+          assert.isFalse(window.__xss_triggered, 'XSS should not be triggered');
+        });
+
+      });
+
+    });
+  </script>
+</body>
+</html>