From: Alister Stevens <alister@pebblepad.co.uk>
Date: Tue, 6 May 2025 13:40:27 +0100
Subject: Fix improper sanitisation of href and xlink:href on SVG image
 elements

Fix CVE-2025-0716

origin: backport, https://github.com/PebblePad/angular.js/commit/71513129efd044c09e52d47455d73c62ff3287d8
bug: https://www.herodevs.com/vulnerability-directory/cve-2025-0716?angularjs-nes
bug-poc: https://codepen.io/herodevs/pen/qEWQmpd/a86a0d29310e12c7a3756768e6c7b915
---
 src/ng/compile.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/ng/compile.js b/src/ng/compile.js
index 8e7cf98..c525895 100644
--- a/src/ng/compile.js
+++ b/src/ng/compile.js
@@ -3807,6 +3807,11 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
           (nodeName === 'link' && attrNormalizedName === 'href')
       ) {
         return $sce.RESOURCE_URL;
+      } else if (
+          // SVG image href can be abused (content spoofing)
+          (nodeName === "image") && (attrNormalizedName === 'href' || attrNormalizedName === 'ngHref')
+      ) {
+        return $sce.MEDIA_URL;
       } else if (nodeName === 'a' && (attrNormalizedName === 'href' ||
                                  attrNormalizedName === 'ngHref')) {
         return $sce.URL;