How Lightning Web Security Sanitizes Static Resources in SVG Elements

LWS doesn't sanitize input text. Your code must validate or sanitize any user input.

Lightning Web Security (LWS) sanitizes resources loaded using the <use> tag and other SVG elements that support an href attribute.

For example, the URL in this <use> tag is sanitized.

LWS replaces the href value with a sanitized value. The sanitized URL is similar to:

The sanitized URL is unknown outside the sandbox.

Despite the changes to the DOM, the content continues to function as expected.

See Also