Skip to content

Patch port 19#68469

Closed
alan-agius4 wants to merge 8 commits into
angular:19.2.xfrom
alan-agius4:patch-port-19
Closed

Patch port 19#68469
alan-agius4 wants to merge 8 commits into
angular:19.2.xfrom
alan-agius4:patch-port-19

Conversation

@alan-agius4
Copy link
Copy Markdown
Contributor

@alan-agius4 alan-agius4 commented Apr 30, 2026

Backport several security fixes

@alan-agius4
fix(core): validate security-sensitive attributes in i18n bindings
c77bf1f 
Ensures that security-sensitive attributes (e.g., sandbox, allow) are correctly validated when applied through i18n-* dynamic attribute bindings, preventing potential policy bypasses.

Closes angular#68418
@alan-agius4
fix(core): disallow event attribute bindings in host bindings uncondi…
a232b76 
…tionally

Moves the event attribute validation check outside of `ngDevMode` in the `elementAttributeInternal` instruction to ensure that bindings to event attributes like `on*` are always blocked at runtime.

Previously, this check was only performed when `ngDevMode` was `true`, which could allow attacker-controlled CMS data to be bound to event attributes in production mode, causing browser-executed XSS.

Fixes angular#68419
@alan-agius4
fixup! fix(core): disallow event attribute bindings in host bindings …
5f4918a 
…unconditionally
@alan-agius4
fix(platform-server): ensure origin has a trailing slash when parsing…
95d9e5d 
… url

The origin did not have a trailing slash, which caused parsing issues for relative URLs.

Fixes angular#68322
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: lts This PR is targeting a version currently in long-term support PullApprove: disable labels Apr 30, 2026
@alan-agius4 alan-agius4 changed the base branch from main to 19.2.x April 30, 2026 07:01
@angular-robot angular-robot Bot added area: core Issues related to the framework runtime area: server Issues related to server-side rendering labels Apr 30, 2026
@ngbot ngbot Bot added this to the Backlog milestone Apr 30, 2026
@alan-agius4 alan-agius4 reopened this Apr 30, 2026
@alan-agius4
build: update dev-infra github actions to 442c2fcbf06a321b5196b4c5fc7…
0af19a6 
…0e78a49242958

Update dev-infra to latest version for github actions
@angular-robot angular-robot Bot added the area: build & ci Related the build and CI infrastructure of the project label Apr 30, 2026
@angular-robot angular-robot Bot added detected: breaking change PR contains a commit with a breaking change detected: feature PR contains a feature commit area: docs Related to the documentation area: common/http Issues related to HTTP and HTTP Client area: compiler Issues related to `ngc`, Angular's template compiler area: zones Issues related to zone.js area: router area: migrations Issues related to `ng update`/`ng generate` migrations labels May 4, 2026
@angular-robot angular-robot Bot added the area: common Issues related to APIs in the @angular/common package label May 4, 2026
@alan-agius4 alan-agius4 removed area: build & ci Related the build and CI infrastructure of the project area: common Issues related to APIs in the @angular/common package area: router area: core Issues related to the framework runtime area: forms area: zones Issues related to zone.js area: language-service Issues related to Angular's VS Code language service area: server Issues related to server-side rendering area: common/http Issues related to HTTP and HTTP Client area: service-worker Issues related to the @angular/service-worker package area: compiler Issues related to `ngc`, Angular's template compiler area: dev-infra Issues related to Angular's own dev infra (build, test, CI, releasing) area: migrations Issues related to `ng update`/`ng generate` migrations area: devtools detected: feature PR contains a feature commit detected: breaking change PR contains a commit with a breaking change area: docs Related to the documentation area: vscode-extension Issues related to the Angular Language Service VsCode extension labels May 4, 2026
@alan-agius4 alan-agius4 removed the request for review from AndrewKushnir May 6, 2026 06:19
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels May 6, 2026
@mattrbeck
Copy link
Copy Markdown
Member

mattrbeck commented May 7, 2026

This PR was merged into the repository. The changes were merged into the following branches:

mattrbeck pushed a commit that referenced this pull request May 7, 2026
@alan-agius4 @mattrbeck
fix(core): validate security-sensitive attributes in i18n bindings (#…
24a0103 
…68469)

Ensures that security-sensitive attributes (e.g., sandbox, allow) are correctly validated when applied through i18n-* dynamic attribute bindings, preventing potential policy bypasses.

Closes #68418

PR Close #68469
mattrbeck pushed a commit that referenced this pull request May 7, 2026
@alan-agius4 @mattrbeck
fix(core): disallow event attribute bindings in host bindings uncondi…
83a6405 
…tionally (#68469)

Moves the event attribute validation check outside of `ngDevMode` in the `elementAttributeInternal` instruction to ensure that bindings to event attributes like `on*` are always blocked at runtime.

Previously, this check was only performed when `ngDevMode` was `true`, which could allow attacker-controlled CMS data to be bound to event attributes in production mode, causing browser-executed XSS.

Fixes #68419

PR Close #68469
mattrbeck pushed a commit that referenced this pull request May 7, 2026
@alan-agius4 @mattrbeck
fix(platform-server): ensure origin has a trailing slash when parsing…
837a710 
… url (#68469)

The origin did not have a trailing slash, which caused parsing issues for relative URLs.

Fixes #68322

PR Close #68469
mattrbeck pushed a commit that referenced this pull request May 7, 2026
@alan-agius4 @mattrbeck
build: update dev-infra github actions to 442c2fcbf06a321b5196b4c5fc7…
103f0dd 
…0e78a49242958 (#68469)

Update dev-infra to latest version for github actions

PR Close #68469
@mattrbeck mattrbeck closed this May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche JeanMeche approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: docs-infra Angular.dev application and infrastructure PullApprove: disable target: lts This PR is targeting a version currently in long-term support

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

3 participants

@alan-agius4 @mattrbeck @JeanMeche