From 43600b363ba415289aa2d12bcd16ca5d713276d2 Mon Sep 17 00:00:00 2001
From: Dmitry Artemov <d-artemov@yandex-team.ru>
Date: Sat, 18 Oct 2025 13:27:13 +0200
Subject: [PATCH] fix(sanitize): prevent XSS via SVG animate values attribute

---
 src/transform/sanitize.ts           |  1 +
 test/__snapshots__/xss.test.ts.snap | 68 +++++++++++++++++++++++++++++
 test/xss.test.ts                    |  8 ++++
 3 files changed, 77 insertions(+)

diff --git a/src/transform/sanitize.ts b/src/transform/sanitize.ts
index a51d5940..9935b32c 100644
--- a/src/transform/sanitize.ts
+++ b/src/transform/sanitize.ts
@@ -554,6 +554,7 @@ export const defaultOptions: SanitizeOptions = {
         'xlink:href',
         'from',
         'to',
+        'values',
     ],
     allowVulnerableTags: true,
     parser: defaultParseOptions,
diff --git a/test/__snapshots__/xss.test.ts.snap b/test/__snapshots__/xss.test.ts.snap
index 6914a8e9..32031952 100644
--- a/test/__snapshots__/xss.test.ts.snap
+++ b/test/__snapshots__/xss.test.ts.snap
@@ -236,6 +236,40 @@ exports[`XSS checks with disabled markdown-it-attrs You can EMBED SVG which can
 </p>
 `;
 
+exports[`XSS checks with disabled markdown-it-attrs animate with values attribute 1`] = `
+<p>
+  <svg>
+    <animate xlink:href="#xss"
+             attributename="href"
+    >
+    </animate>
+    <a id="xss">
+      <text x="20"
+            y="20"
+      >
+        XSS
+      </text>
+    </a>
+  </svg>
+</p>
+`;
+
+exports[`XSS checks with disabled markdown-it-attrs animate with values attribute and data: scheme 1`] = `
+<p>
+  <svg>
+    <animate xlink:href="#x"
+             attributename="href"
+    >
+    </animate>
+    <a id="x">
+      <text>
+        Click
+      </text>
+    </a>
+  </svg>
+</p>
+`;
+
 exports[`XSS checks with disabled markdown-it-attrs body image 1`] = `""`;
 
 exports[`XSS checks with disabled markdown-it-attrs body tag 1`] = `""`;
@@ -585,6 +619,40 @@ exports[`XSS checks with enabled markdown-it-attrs You can EMBED SVG which can c
 </p>
 `;
 
+exports[`XSS checks with enabled markdown-it-attrs animate with values attribute 1`] = `
+<p>
+  <svg>
+    <animate xlink:href="#xss"
+             attributename="href"
+    >
+    </animate>
+    <a id="xss">
+      <text x="20"
+            y="20"
+      >
+        XSS
+      </text>
+    </a>
+  </svg>
+</p>
+`;
+
+exports[`XSS checks with enabled markdown-it-attrs animate with values attribute and data: scheme 1`] = `
+<p>
+  <svg>
+    <animate xlink:href="#x"
+             attributename="href"
+    >
+    </animate>
+    <a id="x">
+      <text>
+        Click
+      </text>
+    </a>
+  </svg>
+</p>
+`;
+
 exports[`XSS checks with enabled markdown-it-attrs body image 1`] = `""`;
 
 exports[`XSS checks with enabled markdown-it-attrs body tag 1`] = `""`;
diff --git a/test/xss.test.ts b/test/xss.test.ts
index e6219b4f..a8730978 100644
--- a/test/xss.test.ts
+++ b/test/xss.test.ts
@@ -167,6 +167,14 @@ const ckecks = [
         'href animate from',
         `<div id="test"><svg><a xmlns:xlink="http://www.w3.org/1999/xlink" href="javascript:alert(document.domain)"><circle r="400"></circle><animate attributeName="href" begin="0" from="javascript:alert(document.domain)" to="&" /></a></div>`,
     ],
+    [
+        'animate with values attribute',
+        `<svg><animate xlink:href="#xss" attributeName="href" values="javascript:alert(1)"></animate><a id="xss"><text x="20" y="20">XSS</text></a></svg>`,
+    ],
+    [
+        'animate with values attribute and data: scheme',
+        `<svg><animate xlink:href="#x" attributeName="href" values="data:text/html,<script>alert(1)</script>"></animate><a id="x"><text>Click</text></a></svg>`,
+    ],
 ];
 
 describe.each([