Elgato_dark/angular
1
0
Fork 0
mirror of https://github.com/angular/angular synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
angular/packages/tsec-exemption.json

39 lines
1.2 KiB
JSON
Raw Normal View History

build: Enable tsec checks for critical packages. (#43108) tsec is a static analyzer that discovers Trusted Types violations. Deploy tsec to make sure there will be no TT regression in several critical packages, including core, platform-browser, platform-server and their dependencies. Existing violations have been reviewed and exempted in packages/tsec-exemption.json. Future changes to the exemption list requires security review. PR Close #43108
2021-08-10 23:00:20 +00:00
/**
* The central exemption list of existing tsec violations. Modifications to
* this list should be carefully reviewed by a security expert.
*/
{
"ban-trustedtypes-createpolicy": [
"core/src/util/security/trusted_types_bypass.ts",
"core/src/util/security/trusted_types.ts",
"compiler/src/output/output_jit_trusted_types.ts"
],
"ban-element-innerhtml-assignments": [
"core/src/sanitization/inert_body.ts"
],
"ban-element-setattribute": [
"platform-browser/src/browser/meta.ts"
],
"ban-domparser-parsefromstring": [
"core/src/sanitization/inert_body.ts"
],
"ban-script-content-assignments": [
"platform-server/src/transfer_state.ts"
],
"ban-function-calls": [
"core/src/interface/type.ts",
"core/src/reflection/reflection_capabilities.ts",
"core/src/util/security/trusted_types.ts",
"core/src/render3/instructions/listener.ts",
"compiler/src/core.ts",
"compiler/src/output/output_jit_trusted_types.ts",
"platform-server/src/server_renderer.ts"
],
"ban-window-stringfunctiondef": [
"core/src/render3/util/misc_utils.ts"
fix(core): hardening attribute and property binding rules for <iframe> elements (#47964) This commit updates the logic related to the attribute and property binding rules for <iframe> elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>. If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located. BREAKING CHANGE: Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings. PR Close #47964
2022-10-25 21:45:32 +00:00
],
"ban-iframe-srcdoc-assignments": [
"core/src/sanitization/iframe_attrs_validation.ts"
build: Enable tsec checks for critical packages. (#43108) tsec is a static analyzer that discovers Trusted Types violations. Deploy tsec to make sure there will be no TT regression in several critical packages, including core, platform-browser, platform-server and their dependencies. Existing violations have been reviewed and exempted in packages/tsec-exemption.json. Future changes to the exemption list requires security review. PR Close #43108
2021-08-10 23:00:20 +00:00
]
}
Reference in a new issue Copy permalink