Merge pull request #461 from preactjs/fix-link

JoviDeCroock · web-flow · commit 833043bc3463 · 2026-05-17T11:51:20.000+02:00
Reject namespaced attribute
diff --git a/.changeset/clean-lions-smile.md b/.changeset/clean-lions-smile.md
@@ -0,0 +1,5 @@
+---
+'preact-render-to-string': patch
+---
+
+Reject unsafe namespaced attribute names before normalizing SVG/XML attribute casing.
diff --git a/src/index.js b/src/index.js
@@ -658,10 +658,10 @@ function _renderToString(
 				break;
 
 			default: {
-				if (NAMESPACE_REPLACE_REGEX.test(name)) {
-					name = name.replace(NAMESPACE_REPLACE_REGEX, '$1:$2').toLowerCase();
-				} else if (UNSAFE_NAME.test(name)) {
+				if (UNSAFE_NAME.test(name)) {
 					continue;
+				} else if (NAMESPACE_REPLACE_REGEX.test(name)) {
+					name = name.replace(NAMESPACE_REPLACE_REGEX, '$1:$2').toLowerCase();
 				} else if (
 					(name[4] === '-' || HTML_ENUMERATED.has(name)) &&
 					v != null
diff --git a/test/render.test.jsx b/test/render.test.jsx
@@ -193,6 +193,22 @@ describe('render', () => {
 				expect(rendered).to.equal(`<div a="b"></div>`);
 			});
 
+			it('should not render JS in namespaced attributes', () => {
+				let rendered = render(
+					h(
+						'svg',
+						null,
+						h('image', {
+							xlinkHref: '#',
+							'xlinkHref onload': 'alert(1)',
+							'xlinkHref><script>alert(1)</script><image x': '#',
+							'xlink:href onload': 'alert(2)'
+						})
+					)
+				);
+				expect(rendered).to.equal(`<svg><image xlink:href="#"></image></svg>`);
+			});
+
 			it('should allow emoji attribute names', () => {
 				let rendered = render(
 					h('div', {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'preact-render-to-string': patch
 +---
++
 +Reject unsafe namespaced attribute names before normalizing SVG/XML attribute casing.