[fix] only read static value for rel attribute validation (#8003)

fixes #7994

src/compiler/compile/nodes/Element.ts

@@ -620,17 +620,18 @@ export default class Element extends Node {
 
 				if (href_static_value === null || href_static_value.match(/^(https?:)?\/\//i)) {
 					const rel = attribute_map.get('rel');
-					const rel_values = rel ? rel.get_static_value().split(' ') : [];
-					const expected_values = ['noreferrer'];
-
-					expected_values.forEach(expected_value => {
-						if (!rel || rel && rel_values.indexOf(expected_value) < 0) {
-							component.warn(this, {
-								code: `security-anchor-rel-${expected_value}`,
-								message: `Security: Anchor with "target=_blank" should have rel attribute containing the value "${expected_value}"`
-							});
-						}
-					});
+					if (rel == null || rel.is_static) {
+						const rel_values = rel ? rel.get_static_value().split(' ') : [];
+						const expected_values = ['noreferrer'];
+						expected_values.forEach(expected_value => {
+							if (!rel || rel && rel_values.indexOf(expected_value) < 0) {
+								component.warn(this, {
+									code: `security-anchor-rel-${expected_value}`,
+									message: `Security: Anchor with "target=_blank" should have rel attribute containing the value "${expected_value}"`
+								});
+							}
+						});
+					}
 				}
 			}
 

test/validator/samples/security-anchor-rel-noreferrer/input.svelte

@@ -28,4 +28,6 @@
 <a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
 <a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
 <a href="//svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
-<a href="//svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
+<a href="//svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
+<!-- dynamic rel value should not warn-->
+<a href="//svelte.dev" target="_blank" rel={`${Math.random()}`}>svelte website (valid)</a>