From 72886832ac573196ac0f804951f2f898f65ffcdb Mon Sep 17 00:00:00 2001
From: rootvector2 <dxbnaveed.k@gmail.com>
Date: Thu, 28 May 2026 00:26:18 +0530
Subject: [PATCH] compare url attribute names case-insensitively when
 sanitizing

checkURI and checkDataURI matched attribute names against the lowercase badAttributes lists with a strict comparison, so a mixed-case name such as HREF or SRC bypassed the javascript:/vbscript: protocol check even though requiresSanitization still routed the element through the sanitizer.
---
 .../integration-tests/test/attributes-test.ts        | 12 ++++++++++++
 .../@glimmer/runtime/lib/dom/sanitized-values.ts     |  4 ++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/packages/@glimmer-workspace/integration-tests/test/attributes-test.ts b/packages/@glimmer-workspace/integration-tests/test/attributes-test.ts
index eef13f25c13..36e53723e1b 100644
--- a/packages/@glimmer-workspace/integration-tests/test/attributes-test.ts
+++ b/packages/@glimmer-workspace/integration-tests/test/attributes-test.ts
@@ -573,6 +573,18 @@ export class AttributesTests extends RenderTest {
     this.assertHTML('<svg viewBox="0 0 100 100" />');
     this.assertStableNodes();
   }
+
+  @test
+  'sanitizes url attributes regardless of attribute name case'() {
+    this.render('<a HREF={{this.foo}}></a>', { foo: 'javascript:foo()' });
+    this.assertHTML('<a href="unsafe:javascript:foo()"></a>');
+
+    this.rerender({ foo: 'http://foo.bar' });
+    this.assertHTML('<a href="http://foo.bar"></a>');
+
+    this.rerender({ foo: 'javascript:foo()' });
+    this.assertHTML('<a href="unsafe:javascript:foo()"></a>');
+  }
 }
 
 jitSuite(AttributesTests);
diff --git a/packages/@glimmer/runtime/lib/dom/sanitized-values.ts b/packages/@glimmer/runtime/lib/dom/sanitized-values.ts
index a5203749453..f5f0e16685d 100644
--- a/packages/@glimmer/runtime/lib/dom/sanitized-values.ts
+++ b/packages/@glimmer/runtime/lib/dom/sanitized-values.ts
@@ -17,12 +17,12 @@ function has(array: Array<string>, item: string): boolean {
 }
 
 function checkURI(tagName: Nullable<string>, attribute: string): boolean {
-  return (tagName === null || has(badTags, tagName)) && has(badAttributes, attribute);
+  return (tagName === null || has(badTags, tagName)) && has(badAttributes, attribute.toLowerCase());
 }
 
 function checkDataURI(tagName: Nullable<string>, attribute: string): boolean {
   if (tagName === null) return false;
-  return has(badTagsForDataURI, tagName) && has(badAttributesForDataURI, attribute);
+  return has(badTagsForDataURI, tagName) && has(badAttributesForDataURI, attribute.toLowerCase());
 }
 
 export function requiresSanitization(tagName: string, attribute: string): boolean {