This fix addresses a Cross-Site Scripting (XSS, CWE-79) issue in Angular's i18n compiler handling for static ResourceURL attributes.

The issue was found during Google OSS VRP research, and this PR follows the public maintainer PR path requested for Angular product-security fixes.

Angular already classifies SVG script|href as SecurityContext.RESOURCE_URL, but the i18n metadata gate only rejected translated attributes that appear in the Trusted Types sink list. script|href is not in that list, so a localized build could replace a source-approved SVG script href with a translated script resource URL.

Changes:

• Add a compiler i18n check for translated attributes whose DOM security context is SecurityContext.RESOURCE_URL
• Preserve the existing Trusted Types sink rejection behavior
• Add a regression test for translated SVG <script href> ResourceURL attributes

Security impact verified:

• A standard Angular CLI localized AOT build could emit a translated SVG <script href> value as a static template attribute
• In Chrome, that translated SVG script URL is fetched and executed automatically when the localized page renders
• The repro uses standard Angular CLI/i18n only, with no bypassSecurityTrust*, custom renderer, custom sanitizer, or direct DOM writes

Out of scope:

• This PR is intentionally limited to SecurityContext.RESOURCE_URL translated static attributes. Other i18n security-context hardening work can remain separate.

PR Checklist

Please check if your PR fulfills the following requirements:

• The commit message follows our guidelines: https://github.com/angular/angular/blob/main/contributing-docs/commit-message-guidelines.md
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

• Bugfix
• Feature
• Code style update (formatting, local variables)
• Refactoring (no functional changes, no api changes)
• Build related changes
• CI related changes
• Documentation content changes
• angular.dev application / infrastructure changes
• Other... Please describe:

What is the current behavior?

Issue Number: N/A

Angular's i18n metadata pass rejects translated attributes only when isTrustedTypesSink() returns true. It does not also consult Angular's DOM security schema for SecurityContext.RESOURCE_URL attributes. As a result, static translated SVG script|href attributes can be emitted into localized AOT output even though the schema classifies script|href as a ResourceURL sink.

What is the new behavior?

Translated static attributes are rejected when the target DOM attribute is classified as SecurityContext.RESOURCE_URL, while preserving the previous Trusted Types sink rejection behavior.

This prevents localization data from replacing source-approved SVG script href values with executable script resources in localized builds.

Does this PR introduce a breaking change?

• Yes
• No

Other information

Local validation run:

pnpm install --frozen-lockfile
base=$(git merge-base origin/main HEAD)
git diff --check "$base" HEAD
pnpm ng-dev commit-message validate-range "$base" HEAD
pnpm ng-dev format changed --check
pnpm bazel test //packages/core/test:test --test_filter='security integration tests translation'
pnpm bazel test //packages/compiler/test:test