emberjs · metsw24-max · Jun 5, 2026
diff --git a/packages/@glimmer-workspace/integration-tests/test/attributes-test.ts b/packages/@glimmer-workspace/integration-tests/test/attributes-test.ts
@@ -144,6 +144,40 @@ export class AttributesTests extends RenderTest {
     this.assertStableNodes();
   }
 
+  @test
+  'button[formaction] is marked as unsafe'() {
+    // `formaction` overrides the owning form's `action` at submit time, so it
+    // is the same submission-URL sink as `<form action>` and must reject
+    // `javascript:` URLs. Otherwise it is a drop-in bypass for the `action`
+    // sanitization.
+    this.render('<form><button formaction="{{this.foo}}"></button></form>', {
+      foo: 'javascript:foo()',
+    });
+    this.assertHTML('<form><button formaction="unsafe:javascript:foo()"></button></form>');
+    this.assertStableRerender();
+
+    this.rerender({ foo: 'http://foo.bar' });
+    this.assertHTML('<form><button formaction="http://foo.bar"></button></form>');
+    this.assertStableNodes();
+
+    this.rerender({ foo: 'javascript:foo()' });
+    this.assertHTML('<form><button formaction="unsafe:javascript:foo()"></button></form>');
+    this.assertStableNodes();
+  }
+
+  @test
+  'input[formaction] is marked as unsafe'() {
+    this.render('<form><input type="submit" formaction="{{this.foo}}" /></form>', {
+      foo: 'javascript:foo()',
+    });
+    this.assertHTML('<form><input type="submit" formaction="unsafe:javascript:foo()" /></form>');
+    this.assertStableRerender();
+
+    this.rerender({ foo: 'http://foo.bar' });
+    this.assertHTML('<form><input type="submit" formaction="http://foo.bar" /></form>');
+    this.assertStableNodes();
+  }
+
   @test
   'triple curlies in attribute position'() {
     this.render('<div data-bar="bar" data-foo={{{this.rawString}}}>Hello</div>', {

diff --git a/packages/@glimmer/runtime/lib/dom/sanitized-values.ts b/packages/@glimmer/runtime/lib/dom/sanitized-values.ts
@@ -4,11 +4,19 @@ import { isSafeString, normalizeStringValue } from '../dom/normalize';
 
 const badProtocols = ['javascript:', 'vbscript:'];
 
-const badTags = ['A', 'BODY', 'LINK', 'IMG', 'IFRAME', 'BASE', 'FORM'];
+// `BUTTON`/`INPUT` are included because a submit `<button>` or
+// `<input type="submit"|"image">` may carry a `formaction` attribute, which
+// overrides the owning `<form>`'s `action` at submission time. Without them the
+// `action`/`formaction` URL sanitization below would only guard `<form action>`
+// and could be bypassed by moving the same `javascript:` URL onto the submit
+// control's `formaction`.
+const badTags = ['A', 'BODY', 'LINK', 'IMG', 'IFRAME', 'BASE', 'FORM', 'BUTTON', 'INPUT'];
 
 const badTagsForDataURI = ['EMBED'];
 
-const badAttributes = ['href', 'src', 'background', 'action'];
+// `formaction` mirrors `action`: it is the per-submit-control override of a
+// form's submission URL and must be sanitized for the same reason.
+const badAttributes = ['href', 'src', 'background', 'action', 'formaction'];
 
 const badAttributesForDataURI = ['src'];