Commits on Oct 4, 2018
Commits on Sep 7, 2018
Commits on Jun 22, 2018
  1. chore(docs-app): ensure ToC links contain the path

    petebacondarwin committed Jun 22, 2018
    Without the path the link is always pointing to the
    root page, rather than the current page, which means
    that copying the link address or opening the page in
    a new tab is broken.
    Closes #16608
Commits on Jun 14, 2018
Commits on May 23, 2018
Commits on May 21, 2018
Commits on Feb 21, 2018
Commits on Feb 20, 2018
  1. fix($templateRequest): give tpload error the correct namespace

    petebacondarwin committed Feb 20, 2018
    Previously the `tpload` error was namespaced to `$compile`. If you have
    code that matches errors of the form `[$compile:tpload]` it will no
    longer run. You should change the code to match
Commits on Feb 19, 2018
Commits on Jan 31, 2018
  1. feat($sce): handle URL sanitization through the `$sce` service

    petebacondarwin committed Jan 30, 2018
    Thanks to @rjamet for the original work on this feature.
    This is a large patch to handle URLs with the $sce service, similarly to HTML context.
    Where we previously sanitized URL attributes when setting attribute value inside the
    `$compile` service, we now only apply an `$sce` context requirement and leave the
    `$interpolate` service to deal with sanitization.
    This commit introduces a new `$sce` context called `MEDIA_URL`, which represents
    a URL used as a source for a media element that is not expected to execute code, such as
    image, video, audio, etc.
    The context hierarchy is setup so that a value trusted as `URL` is also trusted in the
    `MEDIA_URL` context, in the same way that the a value trusted as `RESOURCE_URL` is also
    trusted in the `URL` context (and transitively also the `MEDIA_URL` context).
    The `$sce` service will now automatically attempt to sanitize non-trusted values that
    require the `URL` or `MEDIA_URL` context:
    * When calling `getTrustedMediaUrl()` a value that is not already a trusted `MEDIA_URL`
    will be sanitized using the `imgSrcSanitizationWhitelist`.
    * When calling `getTrustedUrl()` a value that is not already a trusted `URL` will be
    sanitized using the `aHrefSanitizationWhitelist`.
    This results in behaviour that closely matches the previous sanitization behaviour.
    To keep rough compatibility with existing apps, we need to allow concatenation of values
    that may contain trusted contexts. The following approach is taken for situations that
    require a `URL` or `MEDIA_URL` secure context:
    * A single trusted value is trusted, e.g. `"{{trustedUrl}}"` and will not be sanitized.
    * A single non-trusted value, e.g. `"{{ 'javascript:foo' }}"`, will be handled by
      `getTrustedMediaUrl` or `getTrustedUrl)` and sanitized.
    * Any concatenation of values (which may or may not be trusted) results in a
      non-trusted type that will be handled by `getTrustedMediaUrl` or `getTrustedUrl` once the
      concatenation is complete.
      E.g. `"javascript:{{safeType}}"` is a concatenation of a non-trusted and a trusted value,
      which will be sanitized as a whole after unwrapping the `safeType` value.
    * An interpolation containing no expressions will still be handled by `getTrustedMediaUrl` or
      `getTrustedUrl`, whereas before this would have been short-circuited in the `$interpolate`
      service. E.g. `"some/hard/coded/url"`. This ensures that `ngHref` and similar directives
      still securely, even if the URL is hard-coded into a template or index.html (perhaps by
      server-side rendering).
    If you use `attrs.$set` for URL attributes (a[href] and img[src]) there will no
    longer be any automated sanitization of the value. This is in line with other
    programmatic operations, such as writing to the innerHTML of an element.
    If you are programmatically writing URL values to attributes from untrusted
    input then you must sanitize it yourself. You could write your own sanitizer or copy
    the private `$$sanitizeUri` service.
    Note that values that have been passed through the `$interpolate` service within the
    `URL` or `MEDIA_URL` will have already been sanitized, so you would not need to sanitize
    these values again.
Commits on Jan 17, 2018
Commits on Jan 11, 2018
  1. fix($sanitize): sanitize `xml:base` attributes

    petebacondarwin authored and Narretz committed Jan 6, 2018
    On Firefox there is a XSS vulnerability if a malicious attacker
    can write into the `xml:base` attribute on an SVG anchor.
    Thanks to Masato Kinugawa at Cure23
Commits on Dec 11, 2017
  1. feat($rootScope): allow suspending and resuming watchers on scope

    petebacondarwin committed Oct 31, 2017
    This can be very helpful for external modules that help making the digest
    loop faster by ignoring some of the watchers under some circumstance.
    Thanks to @shahata for the original implementation.
    Closes #5301
  2. fix($location): always decode special chars in `$location.url(value)`

    petebacondarwin committed Dec 1, 2017
    The original fix for #16312 included changing how `$location.url(value)`
    decoded the special characters passed to it as a setter.
    This broke a number of use cases (mostly involving the ui-router).
    Further analysis appears to show that we can solve #16312, to prevent
    urls being rewritten with decoded values, without modifying the
    behaviour of `$location.url`.
    This commit reverts changes to `$location.url(value)` so that encoded
    chars will once again be decoded and passed to `$location.path(value)`.
    In particular it will convert encoded forward slashes, which changes how
    the path is updated, since e.g. `a/b/%2Fc%2Fd` will become `a/b/c/d`.
    While this is arguably not "correct", it appears that there are too many
    use cases relying upon this behaviour.
Commits on Nov 30, 2017
Commits on Nov 3, 2017
  1. fix(sanitizeUri): sanitize URIs that contain IDEOGRAPHIC SPACE chars

    petebacondarwin committed Oct 31, 2017
    Browsers mutate attributes values such as ` javascript:alert(1)`
    when they are written to the DOM via `innerHTML` in various vendor specific
    In Chrome (<62), this mutation removed the preceding "whitespace" resulting
    in a value that could end up being executed as JavaScript.
    Here is an example of what could happen:
    If you run that in Chrome 61 you will get a dialog box pop up.
    There is background here:
    The sanitizer has a bit of code that triggers this mutation on an inert piece
    of DOM, before we try to sanitize it:
    Chrome 62 does not appear to mutate this particular string any more, instead
    it just leaves the "whitespace" in place. This probably means that Chrome 62
    is no longer vulnerable to this specific attack vector; but there may be
    other mutating strings that we haven't found, which are vulnerable.
    Since we are leaving the mXSS check in place, the sanitizer should still
    be immune to any strings that try to utilise this attack vector.
    This commit uses `trim()` to remove the IDEOGRAPHIC SPACE "whitespace"
    before sanitizing, which allows us to expose this mXSS test to all browsers
    rather than just Chrome.
    Closes #16288
Commits on Sep 23, 2017
Commits on Jun 6, 2017
  1. chore(jenkins): do not publish to snapshot

    petebacondarwin committed Jun 5, 2017
    While the firewall continues to block the update ports
    we will not try to publish there. This will be fixed when we move to hosting
    the sites on Firebase.
    This means that successful builds on master will not automatically update, this will affect:
    *, which people often use to check latest features
    *, which is supposed to display the docs for the latest master
    As it turns out we can manually partially trigger an update by browsing to but we just can’t guarantee that we will update
    both the round robin servers.
Commits on Jun 5, 2017
  1. fix($sanitize): use appropriate inert document strategy for Firefox a…

    petebacondarwin committed May 25, 2017
    …nd Safari
    Both Firefox and Safari are vulnerable to XSS if we use an inert document
    created via `document.implementation.createHTMLDocument()`.
    Now we check for those vulnerabilities and then use a DOMParser or XHR
    strategy if needed.
    Thanks to @cure53 for the heads up on this issue.
Commits on Mar 2, 2017
  1. feat(info): add `angularVersion` info to each module

    petebacondarwin committed Feb 27, 2017
    You can now check what version of AngularJS a core module is designed for:
    var angularVersion = $injector.modules['myModule'].info().angularVersion;
  2. feat($injector): add new `modules` property

    petebacondarwin committed Oct 8, 2016
    The `modules` property is a hash of the modules loaded into the injector
    at bootstrap time. This can be used to access the module's info.
  3. feat(Module): add `info()` method

    petebacondarwin committed Oct 8, 2016
    The new `info()` method lets developers store arbitrary information about
    their module for consumption later.
    Closes #15225
Commits on Feb 27, 2017
  1. fix(Angular): do not autobootstrap if the `src` exists but is empty

    petebacondarwin committed Feb 27, 2017
    In Chrome an empty `src` attribute will be ignored, but in Firefox it seems
    happy to prepend the `base[href]` and try to load whatever that is.
Commits on Feb 24, 2017
Commits on Feb 20, 2017
  1. chore(jenkins): disable unit testing on Safari

    petebacondarwin committed Feb 20, 2017
    There is a strange failure in the animation code that only appears to happen
    on Safari 10 on OS/X. While we investigate we are disabling this browser
    to allow the development (and doc generation) to continue.
Commits on Feb 1, 2017
  1. feat(ngModel): add `$overrideModelOptions` support

    petebacondarwin committed Nov 21, 2016
    This change allows developers to modify the model options for an `ngModel`
    directive programmatically.
    Closes #15415
Commits on Jan 30, 2017
  1. chore(docs): don't use bower for docs dependencies

    petebacondarwin committed Dec 1, 2016
Commits on Jan 25, 2017
  1. docs(*): ensure naming is correct for Angular(JS) versions

    petebacondarwin committed Jan 24, 2017