Don't choke on iframes without a src (#3272)

Fixes #3271
mdn · Mar 17, 2021 · aaec11e · aaec11e
1 parent d75d607
commit aaec11e
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/build/flaws.js b/build/flaws.js
@@ -75,7 +75,7 @@ function injectFlaws(doc, $, options, document) {
   }
 }
 
-function injectUnsafeHTMLFlaws(doc, $, { rawContent }) {
+function injectUnsafeHTMLFlaws(doc, $, { rawContent, fileInfo }) {
   function addFlaw(element, explanation) {
     if (!("unsafe_html" in doc.flaws)) {
       doc.flaws.unsafe_html = [];
@@ -131,6 +131,12 @@ function injectUnsafeHTMLFlaws(doc, $, { rawContent }) {
     if (tagName === "iframe") {
       // For iframes we only check the 'src' value
       const src = $(element).attr("src");
+      if (!src) {
+        console.warn(
+          `${fileInfo.path} has an iframe without a 'src' attribute`
+        );
+        return;
+      }
       // Local URLs are always safe.
       if (!(src.startsWith("//") || src.includes("://"))) {
         return;