Detect invalid href attributes (#817)

joeldrapper · web-flow · commit dc1248af9add · 2024-11-25T12:44:13.000Z
Closes #816
diff --git a/lib/phlex/sgml.rb b/lib/phlex/sgml.rb
@@ -401,9 +401,16 @@ def __attributes__(attributes, buffer = +"")
 			unless Phlex::SGML::SafeObject === v
 				normalized_name = lower_name.delete("^a-z-")
 
-				if value != true && REF_ATTRIBUTES.include?(normalized_name) && value.downcase.delete("^a-z:").start_with?("javascript:")
-					# We just ignore these because they were likely not specified by the developer.
-					next
+				if value != true && REF_ATTRIBUTES.include?(normalized_name)
+					case value
+					when String
+						if value.downcase.delete("^a-z:").start_with?("javascript:")
+							# We just ignore these because they were likely not specified by the developer.
+							next
+						end
+					else
+						raise Phlex::ArgumentError.new("Invalid attribute value for #{k}: #{v.inspect}.")
+					end
 				end
 
 				if normalized_name.bytesize > 2 && normalized_name.start_with?("on") && !normalized_name.include?("-")
diff --git a/quickdraw/sgml/attributes.test.rb b/quickdraw/sgml/attributes.test.rb
@@ -26,6 +26,14 @@
 	end
 end
 
+test "href with hash" do
+	expect {
+		phlex { a(href: {}) }
+	}.to_raise(Phlex::ArgumentError) do |error|
+		expect(error.message) == "Invalid attribute value for href: #{{}.inspect}."
+	end
+end
+
 test "unsafe href attribute" do
 	expect(
 		phlex { div(href: "javascript:alert('hello')") },
