From eb2a563a9bf6d90dfedf862226b5a80321fa0187 Mon Sep 17 00:00:00 2001
From: dominikg <dominik.goepel@gmx.de>
Date: Tue, 8 Nov 2022 21:26:12 +0100
Subject: [PATCH 1/3] fix: only read static value for rel attribute validation

---
 src/compiler/compile/nodes/Element.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/compiler/compile/nodes/Element.ts b/src/compiler/compile/nodes/Element.ts
index 303b2e91228..0b7229d55b0 100644
--- a/src/compiler/compile/nodes/Element.ts
+++ b/src/compiler/compile/nodes/Element.ts
@@ -620,7 +620,7 @@ export default class Element extends Node {
 
 				if (href_static_value === null || href_static_value.match(/^(https?:)?\/\//i)) {
 					const rel = attribute_map.get('rel');
-					const rel_values = rel ? rel.get_static_value().split(' ') : [];
+					const rel_values = rel?.is_static ? rel.get_static_value().split(' ') : [];
 					const expected_values = ['noreferrer'];
 
 					expected_values.forEach(expected_value => {

From 786a75fec413c00611740ffea498f7c76ea297bf Mon Sep 17 00:00:00 2001
From: dominikg <dominik.goepel@gmx.de>
Date: Wed, 9 Nov 2022 11:08:16 +0100
Subject: [PATCH 2/3] fix: ignore dynamic values for rel validation

---
 src/compiler/compile/nodes/Element.ts         | 23 ++++++++++---------
 .../input.svelte                              |  4 +++-
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/src/compiler/compile/nodes/Element.ts b/src/compiler/compile/nodes/Element.ts
index 0b7229d55b0..203f6cffb6f 100644
--- a/src/compiler/compile/nodes/Element.ts
+++ b/src/compiler/compile/nodes/Element.ts
@@ -620,17 +620,18 @@ export default class Element extends Node {
 
 				if (href_static_value === null || href_static_value.match(/^(https?:)?\/\//i)) {
 					const rel = attribute_map.get('rel');
-					const rel_values = rel?.is_static ? rel.get_static_value().split(' ') : [];
-					const expected_values = ['noreferrer'];
-
-					expected_values.forEach(expected_value => {
-						if (!rel || rel && rel_values.indexOf(expected_value) < 0) {
-							component.warn(this, {
-								code: `security-anchor-rel-${expected_value}`,
-								message: `Security: Anchor with "target=_blank" should have rel attribute containing the value "${expected_value}"`
-							});
-						}
-					});
+					if (rel?.is_static) {
+						const rel_values = rel.get_static_value().split(' ');
+						const expected_values = ['noreferrer'];
+						expected_values.forEach(expected_value => {
+							if (!rel || rel && rel_values.indexOf(expected_value) < 0) {
+								component.warn(this, {
+									code: `security-anchor-rel-${expected_value}`,
+									message: `Security: Anchor with "target=_blank" should have rel attribute containing the value "${expected_value}"`
+								});
+							}
+						});
+					}
 				}
 			}
 
diff --git a/test/validator/samples/security-anchor-rel-noreferrer/input.svelte b/test/validator/samples/security-anchor-rel-noreferrer/input.svelte
index de52d5a5960..f5361e5cfea 100644
--- a/test/validator/samples/security-anchor-rel-noreferrer/input.svelte
+++ b/test/validator/samples/security-anchor-rel-noreferrer/input.svelte
@@ -28,4 +28,6 @@
 <a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
 <a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
 <a href="//svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
-<a href="//svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
\ No newline at end of file
+<a href="//svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
+<!-- dynamic rel value should not warn-->
+<a href="//svelte.dev" target="_blank" rel={`${Math.random()}`}>svelte website (valid)</a>

From 7ac345ae5047484baae2cd8e5e0bd40ddd0b9a2c Mon Sep 17 00:00:00 2001
From: dominikg <dominik.goepel@gmx.de>
Date: Wed, 9 Nov 2022 11:55:21 +0100
Subject: [PATCH 3/3] fix: handle missing rel correctly

---
 src/compiler/compile/nodes/Element.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/compiler/compile/nodes/Element.ts b/src/compiler/compile/nodes/Element.ts
index 203f6cffb6f..ca9bcb8c4e8 100644
--- a/src/compiler/compile/nodes/Element.ts
+++ b/src/compiler/compile/nodes/Element.ts
@@ -620,8 +620,8 @@ export default class Element extends Node {
 
 				if (href_static_value === null || href_static_value.match(/^(https?:)?\/\//i)) {
 					const rel = attribute_map.get('rel');
-					if (rel?.is_static) {
-						const rel_values = rel.get_static_value().split(' ');
+					if (rel == null || rel.is_static) {
+						const rel_values = rel ? rel.get_static_value().split(' ') : [];
 						const expected_values = ['noreferrer'];
 						expected_values.forEach(expected_value => {
 							if (!rel || rel && rel_values.indexOf(expected_value) < 0) {