From aaec11ebf336b58ec92eff065b99dd867d5daa2f Mon Sep 17 00:00:00 2001
From: Peter Bengtsson <mail@peterbe.com>
Date: Wed, 17 Mar 2021 16:20:10 -0400
Subject: [PATCH] Don't choke on iframes without a src (#3272)

Fixes #3271
---
 build/flaws.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/build/flaws.js b/build/flaws.js
index 6426a47daa74..b64d624d1589 100644
--- a/build/flaws.js
+++ b/build/flaws.js
@@ -75,7 +75,7 @@ function injectFlaws(doc, $, options, document) {
   }
 }
 
-function injectUnsafeHTMLFlaws(doc, $, { rawContent }) {
+function injectUnsafeHTMLFlaws(doc, $, { rawContent, fileInfo }) {
   function addFlaw(element, explanation) {
     if (!("unsafe_html" in doc.flaws)) {
       doc.flaws.unsafe_html = [];
@@ -131,6 +131,12 @@ function injectUnsafeHTMLFlaws(doc, $, { rawContent }) {
     if (tagName === "iframe") {
       // For iframes we only check the 'src' value
       const src = $(element).attr("src");
+      if (!src) {
+        console.warn(
+          `${fileInfo.path} has an iframe without a 'src' attribute`
+        );
+        return;
+      }
       // Local URLs are always safe.
       if (!(src.startsWith("//") || src.includes("://"))) {
         return;