[svgwg] Clarify which string value is used when setting SVGAnimatedString's baseVal (#961) from Frédéric Wang via GitHub on 2025-01-06 (public-svg-issues@w3.org from January 2025)

From: Frédéric Wang via GitHub <sysbot+gh@w3.org>
Date: Mon, 06 Jan 2025 12:04:53 +0000
To: public-svg-issues@w3.org
Message-ID: <issues.opened-2770515277-1736165091-sysbot+gh@w3.org>

fred-wang has just created a new issue for https://github.com/w3c/svgwg:

== Clarify which string value is used when setting SVGAnimatedString's baseVal  ==
The corresponding paragraph is https://svgwg.org/svg2-draft/single-page.html#types-InterfaceSVGAnimatedString

Trusted type integration was made in https://github.com/w3c/svgwg/pull/934/files but I can't see the changes in the live version.

As I see, SVGAnimatedString is currently in multiple places:

* SVGURIReference's href (used by SVGScriptElement and many others)
* SVGAElement's target
* SVGElement's className

The steps for setting baseVal call "set the reflected attribute to value" which I believe corresponds to [this algo](https://html.spec.whatwg.org/#set-the-content-attribute) which accepts a string. For SVGScriptElement, "value" is set to the result of Get Trusted Type compliant string. But for other cases, it's set to the "specified value" which can be a `TrustedScriptURL`. Probably we should be more explicit and say we extract data as in https://html.spec.whatwg.org/#tt-trustedhtml-data

Note that in the case of a TrustedScriptURL  with a forged stringified, that means setting these properties (e.g. className) would behave differently from properties only accepting a string.

cc @lukewarlow 


Please view or discuss this issue at https://github.com/w3c/svgwg/issues/961 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 6 January 2025 12:04:54 UTC