[14.2.x] fix(core): hardening attribute and property binding rules for <iframe> elements #48028
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AndrewKushnir
added
area: core
AndrewKushnir
changed the title
AndrewKushnir
force-pushed
the
backport_47964_to_14_2_x
branch
from
1f013ee
to
a5acb16
Compare
…> elements This commit updates the logic related to the attribute and property binding rules for <iframe> elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>. If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located. BREAKING CHANGE: Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings.
AndrewKushnir
force-pushed
the
backport_47964_to_14_2_x
branch
from
a5acb16
to
26ccc89
Compare
|
Caretaker note: FYI this PR is a cherry-pick of a couple commits that we've landed in the main and 15.0.x branches. No changes were made to the fix itself, I had to drop a couple tests that covered host directives, which are not supported in v14 (only starting from v15). Also, since this is a patch-only PR, no presubmits are needed. |
AndrewKushnir
added
merge: caretaker note
josephperrott
added
detected: breaking change
alxhub
approved these changes
Nov 17, 2022
AndrewKushnir
added
target: lts
|
This PR was merged into the repository by commit 244a7d2. |
dylhunn
pushed a commit
that referenced
this pull request
Nov 21, 2022
…> elements (#48028) This commit updates the logic related to the attribute and property binding rules for <iframe> elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>. If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located. BREAKING CHANGE: Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings. PR Close #48028
dylhunn
pushed a commit
that referenced
this pull request
Nov 21, 2022
crapStone
pushed a commit
to Calciumdibromid/CaBr2
that referenced
this pull request
Dec 1, 2022
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@angular/animations](https://github.com/angular/angular) | dependencies | patch | [`14.2.11` -> `14.2.12`](https://renovatebot.com/diffs/npm/@angular%2fanimations/14.2.11/14.2.12) | | [@angular/common](https://github.com/angular/angular) | dependencies | patch | [`14.2.11` -> `14.2.12`](https://renovatebot.com/diffs/npm/@angular%2fcommon/14.2.11/14.2.12) | | [@angular/compiler](https://github.com/angular/angular) | dependencies | patch | [`14.2.11` -> `14.2.12`](https://renovatebot.com/diffs/npm/@angular%2fcompiler/14.2.11/14.2.12) | | [@angular/compiler-cli](https://github.com/angular/angular/tree/main/packages/compiler-cli) ([source](https://github.com/angular/angular)) | devDependencies | patch | [`14.2.11` -> `14.2.12`](https://renovatebot.com/diffs/npm/@angular%2fcompiler-cli/14.2.11/14.2.12) | | [@angular/core](https://github.com/angular/angular) | dependencies | patch | [`14.2.11` -> `14.2.12`](https://renovatebot.com/diffs/npm/@angular%2fcore/14.2.11/14.2.12) | | [@angular/forms](https://github.com/angular/angular) | dependencies | patch | [`14.2.11` -> `14.2.12`](https://renovatebot.com/diffs/npm/@angular%2fforms/14.2.11/14.2.12) | | [@angular/platform-browser](https://github.com/angular/angular) | dependencies | patch | [`14.2.11` -> `14.2.12`](https://renovatebot.com/diffs/npm/@angular%2fplatform-browser/14.2.11/14.2.12) | | [@angular/platform-browser-dynamic](https://github.com/angular/angular) | dependencies | patch | [`14.2.11` -> `14.2.12`](https://renovatebot.com/diffs/npm/@angular%2fplatform-browser-dynamic/14.2.11/14.2.12) | --- ### Release Notes <details> <summary>angular/angular</summary> ### [`v14.2.12`](https://github.com/angular/angular/blob/HEAD/CHANGELOG.md#​14212-2022-11-21) [Compare Source](angular/angular@14.2.11...14.2.12) #### Breaking Changes ##### core - Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings. ##### core | Commit | Type | Description | | -- | -- | -- | | [54814c8e9b](angular/angular@54814c8) | fix | hardening attribute and property binding rules for <iframe> elements ([#​48028](angular/angular#48028)) | #### Special Thanks Andrew Kushnir <!-- CHANGELOG SPLIT MARKER --> </details> --- ### Configuration📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yOS4yIiwidXBkYXRlZEluVmVyIjoiMzQuMjkuMiJ9--> Co-authored-by: cabr2-bot <cabr2.help@gmail.com> Reviewed-on: https://codeberg.org/Calciumdibromid/CaBr2/pulls/1653 Reviewed-by: Epsilon_02 <epsilon_02@noreply.codeberg.org> Co-authored-by: Calciumdibromid Bot <cabr2_bot@noreply.codeberg.org> Co-committed-by: Calciumdibromid Bot <cabr2_bot@noreply.codeberg.org>
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
This commit updates the logic related to the attribute and property binding rules for <iframe> elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>.
If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located.
BREAKING CHANGE:
Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings.
PR Type
What kind of change does this PR introduce?