From 50a315be5b0c72249ca22260341907d00f352286 Mon Sep 17 00:00:00 2001
From: Simon Lydell <simon.lydell@gmail.com>
Date: Tue, 11 Nov 2025 17:16:06 +0100
Subject: [PATCH] Disallow srcdoc

---
 src/Elm/Kernel/VirtualDom.js | 10 +++++-----
 src/VirtualDom.elm           |  6 +++---
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/Elm/Kernel/VirtualDom.js b/src/Elm/Kernel/VirtualDom.js
index 690eaa8a..a6c10306 100644
--- a/src/Elm/Kernel/VirtualDom.js
+++ b/src/Elm/Kernel/VirtualDom.js
@@ -286,7 +286,7 @@ var _VirtualDom_attributeNS = F3(function(namespace, key, value)
 
 
 var _VirtualDom_RE_script = /^script$/i;
-var _VirtualDom_RE_on_formAction = /^(on|formAction$)/i;
+var _VirtualDom_RE_unsafeAttribute = /^(on|formAction|srcdoc$)/i;
 var _VirtualDom_RE_js = /^\s*j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t\s*:/i;
 var _VirtualDom_RE_js_html = /^\s*(j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t\s*:|d\s*a\s*t\s*a\s*:\s*t\s*e\s*x\s*t\s*\/\s*h\s*t\s*m\s*l\s*(,|;))/i;
 
@@ -296,14 +296,14 @@ function _VirtualDom_noScript(tag)
 	return _VirtualDom_RE_script.test(tag) ? 'p' : tag;
 }
 
-function _VirtualDom_noOnOrFormAction(key)
+function _VirtualDom_noUnsafeAttribute(key)
 {
-	return _VirtualDom_RE_on_formAction.test(key) ? 'data-' + key : key;
+	return _VirtualDom_RE_unsafeAttribute.test(key) ? 'data-' + key : key;
 }
 
-function _VirtualDom_noInnerHtmlOrFormAction(key)
+function _VirtualDom_noUnsafeProperty(key)
 {
-	return key == 'innerHTML' || key == 'outerHTML' || key == 'formAction' ? 'data-' + key : key;
+	return key == 'innerHTML' || key == 'outerHTML' || key == 'formAction' || key == 'srcdoc' ? 'data-' + key : key;
 }
 
 function _VirtualDom_noJavaScriptUri(value)
diff --git a/src/VirtualDom.elm b/src/VirtualDom.elm
index 10e85018..0a2586f5 100644
--- a/src/VirtualDom.elm
+++ b/src/VirtualDom.elm
@@ -164,7 +164,7 @@ would be in JavaScript, not `for` as it would appear in HTML.
 property : String -> Json.Value -> Attribute msg
 property key value =
   Elm.Kernel.VirtualDom.property
-    (Elm.Kernel.VirtualDom.noInnerHtmlOrFormAction key)
+    (Elm.Kernel.VirtualDom.noUnsafeProperty key)
     (Elm.Kernel.VirtualDom.noJavaScriptOrHtmlJson value)
 
 
@@ -181,7 +181,7 @@ be in HTML, not `htmlFor` as it would appear in JS.
 attribute : String -> String -> Attribute msg
 attribute key value =
   Elm.Kernel.VirtualDom.attribute
-    (Elm.Kernel.VirtualDom.noOnOrFormAction key)
+    (Elm.Kernel.VirtualDom.noUnsafeAttribute key)
     (Elm.Kernel.VirtualDom.noJavaScriptOrHtmlUri value)
 
 
@@ -199,7 +199,7 @@ attributeNS : String -> String -> String -> Attribute msg
 attributeNS namespace key value =
   Elm.Kernel.VirtualDom.attributeNS
     namespace
-    (Elm.Kernel.VirtualDom.noOnOrFormAction key)
+    (Elm.Kernel.VirtualDom.noUnsafeAttribute key)
     (Elm.Kernel.VirtualDom.noJavaScriptOrHtmlUri value)