Iterating over the NamedNodeMap returned by Element.prototype.attributes

is unsafe and vulnerable to race conditions.
bigskysoftware · Dec 20, 2024 · 6fbb0f2 · 6fbb0f2
1 parent 917587a
commit 6fbb0f2
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/src/idiomorph.js b/src/idiomorph.js
@@ -426,8 +426,11 @@ var Idiomorph = (function () {
             if (type === 1 /* element type */) {
                 const fromEl = /** @type {Element} */ (from);
                 const toEl = /** @type {Element} */ (to);
-                const fromAttributes = fromEl.attributes;
-                const toAttributes = toEl.attributes;
+                // Element.prototype.attributes returns a live NamedNodeMap, which is
+                // vulnerable to race conditions, and therefore cannot be safely iterated,
+                // so convert to a static array before iterating.
+                const fromAttributes = Array.from(fromEl.attributes);
+                const toAttributes = Array.from(toEl.attributes);
                 for (const fromAttribute of fromAttributes) {
                     if (ignoreAttribute(fromAttribute.name, toEl, 'update', ctx)) {
                         continue;
@@ -436,9 +439,7 @@ var Idiomorph = (function () {
                         toEl.setAttribute(fromAttribute.name, fromAttribute.value);
                     }
                 }
-                // iterate backwards to avoid skipping over items when a delete occurs
-                for (let i = toAttributes.length - 1; 0 <= i; i--) {
-                    const toAttribute = toAttributes[i];
+                for (const toAttribute of toAttributes) {
                     if (!fromEl.hasAttribute(toAttribute.name)) {
                         if (ignoreAttribute(toAttribute.name, toEl, 'remove', ctx)) {
                             continue;