` is applied unchanged to the live DOM attribute.\n\n### Impact\n\nWhen an attacker can influence the content of a translation file or the translation-backend response — compromised translation CDN, user-contributed locales, MITM on a plain-HTTP backend, write access to the translation JSON — they can:\n\n- Set any `href` on an anchor to a `javascript:` URI, executing arbitrary JavaScript when the victim clicks the link.\n- Set any `src` on `