Commit graph

34805 commits

Author SHA1 Message Date
Alan Agius
c2c2b4aaa8
fix(core): sanitize sensitive attributes on SVG script elements
This commit updates the DOM security schema and sanitization logic to properly recognize and sanitize `href` and `xlink:href` attributes on SVG `<script>` elements.
2026-01-06 15:54:47 -05:00
Kristiyan Kostadinov
4755bbd949 release: cut the v20.3.15 release 2025-12-01 12:46:42 +01:00
Alan Agius
d1ca8ae043 fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
This commit implements a security fix to prevent XSS vulnerabilities where SVG animation elements (`<animate>`, `<set>`, etc.) could be used to modify the `href` or `xlink:href` attributes of other elements to `javascript:` URLs.

The fix introduces a runtime validation step:
- A new [ɵɵValidateAttribute](cci:1://file:///usr/local/google/home/alanagius/git/angular/packages/core/src/sanitization/sanitization.ts:276:0-288:1) instruction is used when `attributeName` is bound on SVG animation elements.
- If executed, a `RuntimeError` is thrown, preventing the binding.
- The compiler now identifies `attributeName` on SVG animation elements as security-sensitive and injects this validation.

Additionally, the DOM security schema has been updated to include a comprehensive list of MathML and SVG elements that accept `href` or `xlink:href` attributes, ensuring they are correctly treated as `SecurityContext.URL` and sanitized. This prevents malicious URLs from being bound to these attributes.

http://b/463880509
2025-12-01 10:29:30 +01:00
kirjs
136e9232c4 release: cut the v20.3.14 release 2025-11-25 15:14:26 -05:00
Alan Agius
0276479e7d fix(http): prevent XSRF token leakage to protocol-relative URLs
The XSRF interceptor previously failed to detect protocol-relative URLs (starting with `//`) as absolute URLs. This allowed requests to such URLs to include the XSRF token, potentially leaking it to external domains.

This change updates the interceptor to correctly identify protocol-relative URLs as absolute and exclude them from receiving the XSRF token.
2025-11-25 13:54:57 -05:00
Jessica Janiuk
edcbe2259b release: cut the v20.3.13 release 2025-11-19 09:41:29 -08:00
kirjs
24c999a56e fix(docs-infra): add moduleResolution to TypeScript compiler options for playground
This fixes signal forms, but idk if it breas other things

(cherry picked from commit 040af1aaa1)
2025-11-19 16:26:23 +00:00
Aristeidis Bampakos
96a8d58979 fix(docs-infra): add install in pnpm
Add missing install option in pnpm command.

(cherry picked from commit 0e1ddce1cb)
2025-11-19 16:10:12 +00:00
Matthieu Riegler
330e046f40 docs: fix docs heading alignment
(cherry picked from commit c7424c8f07)
2025-11-19 01:00:27 +00:00
Shuaib Hasan Akib
5aea52ac29 docs: format examples with replacing <docs-code> typescript examples with fenced ts code blocks
Update adev/src/content/reference/migrations/cleanup-unused-imports.md

Co-authored-by: Alan Agius <alan.agius4@gmail.com>

Update adev/src/content/reference/extended-diagnostics/NG8102.md

Co-authored-by: Alan Agius <alan.agius4@gmail.com>

Update adev/src/content/reference/extended-diagnostics/NG8103.md

Co-authored-by: Alan Agius <alan.agius4@gmail.com>

Update adev/src/content/reference/extended-diagnostics/NG8103.md

Co-authored-by: Alan Agius <alan.agius4@gmail.com>

Update adev/src/content/reference/extended-diagnostics/NG8103.md

Co-authored-by: Alan Agius <alan.agius4@gmail.com>

Update adev/src/content/reference/migrations/cleanup-unused-imports.md

Co-authored-by: Alan Agius <alan.agius4@gmail.com>

Update adev/src/content/reference/migrations/cleanup-unused-imports.md

Co-authored-by: Alan Agius <alan.agius4@gmail.com>
(cherry picked from commit 27fa993fb8)
2025-11-18 22:11:27 +00:00
Shuaib Hasan Akib
3686987622 docs: simplify docs-code header by removing paths and keeping only file name and info
(cherry picked from commit 374c36d810)
2025-11-18 16:15:44 +00:00
SkyZeroZx
72b19d869d docs: replace @HostListener with host event bindings in attribute directives
(cherry picked from commit c93d02151a)
2025-11-17 23:09:15 +00:00
ljasek
efe5d2ebe3 docs: fix JetBrains AI Assistant MCP JSON configuration
(cherry picked from commit 6d35ab8c28)
2025-11-17 23:08:18 +00:00
aparziale
81b6e45b60 docs(docs-infra): add advanced recommendations
Added recommendation in advanced section for redirectTo and canMatch will generate an error. These properties are incompatible together

fixes #65267

(cherry picked from commit c757fd6c29)
2025-11-17 22:40:12 +00:00
Paul Leflon
967e111303 docs: fix markdown table in custom elements guide
(cherry picked from commit f13159f811)
2025-11-17 22:33:35 +00:00
Joey Perrott
5e15553774 ci: remove cache usage from ci.yml
Remove the @actions/cache usages from ci.yml
2025-11-17 10:59:37 -08:00
Jessica Janiuk
85777efe72 Revert "docs: replace legacy <docs-code> with fenced code blocks with highlight metadata"
This reverts commit c5c1689348.

(cherry picked from commit b2171c6c14)
2025-11-17 18:36:58 +00:00
Jessica Janiuk
820bb3991c Revert "refactor(core): let the profiler handle asymmetric events leniently"
This reverts commit da9911f2b4.

(cherry picked from commit 88dfd96ec9)
2025-11-17 18:10:40 +00:00
Jessica Janiuk
2dccdcd6bc Revert "fix(core): notify profiler events in case of errors"
This reverts commit af1ba52587.

(cherry picked from commit adc2a57be0)
2025-11-17 18:10:40 +00:00
JoostK
a966ff18d4 refactor(core): let the profiler handle asymmetric events leniently
Although the prior commit has made more profiler events guaranteed symmetric
through the use of finally-blocks, there continue to be some situations
that could potentially result in asymmetric events, e.g. application
bootstrap doesn't guarantee symmetric events. This commit makes the profiler
lenient to these situations by unrolling the stack past the asymmetric event
data, eventually reaching the expected start event.

(cherry picked from commit da9911f2b4)
2025-11-17 17:40:09 +00:00
JoostK
52cf65892a fix(core): notify profiler events in case of errors
Profiler events are expected to be symmetric, yet in the case of errors this symmetry may break
if events aren't always kept in sync with their corresponding start event. This commit moves
various end events to be run from a finally-block, allowing them to notify the profiler even
when an error has occurred.

Fixes #62947

(cherry picked from commit af1ba52587)
2025-11-17 17:40:09 +00:00
Cheng-Hsuan Tsai
4a1a7038c5 docs(docs-infra): set max-height to code example
(cherry picked from commit 138e65356b)
2025-11-17 17:28:17 +00:00
SkyZeroZx
daae2636d5 docs: Adds links to relevant guides for APIs in core package
(cherry picked from commit 0432e76171)
2025-11-17 16:47:38 +00:00
SkyZeroZx
d10f1107a8 docs: add documentation for HostAttributeToken
(cherry picked from commit d70310896c)
2025-11-17 16:47:02 +00:00
Shuaib Hasan Akib
755b360ed9 docs: replace legacy <docs-code> with fenced code blocks with highlight metadata
Replaced older <docs-code> components (e.g.
<docs-code language="ts" highlight="3">…</docs-code>)
with modern fenced code blocks using {highlight:[3]} metadata

(cherry picked from commit c5c1689348)
2025-11-17 16:43:39 +00:00
Shuaib Hasan Akib
84ceb9ca01 docs: replace <docs-code> bash examples with fenced bash code blocks
Updated bash command examples to use fenced code blocks (```bash) instead of <docs-code> components, improving formatting consistency and aligning with current documentation standards.

(cherry picked from commit 7ea60052f0)
2025-11-17 16:42:25 +00:00
Shuaib Hasan Akib
2e00074c64 docs: improve accessibility with descriptive link and main landmark
- Replaced <a><button></button></a> with a proper <a> containing text and
  aria-label to ensure links have discernible text.

- Added main tag in home page to provide
  a consistent main landmark, improving accessibility for screen readers
  and satisfying WCAG and Lighthouse requirements.

Fixes #65181.

(cherry picked from commit ee5947db38)
2025-11-17 16:32:04 +00:00
Shuaib Hasan Akib
38f7a8fb4c fix(docs-infra): add bash language support for shell prompt rendering
Code blocks with `bash` language identifier were not rendering the `$`
prefix, while `shell` blocks did.

This ensures consistent command-line prompt rendering across both
`bash` and `shell` code blocks in the documentation.

(cherry picked from commit f462684211)
2025-11-17 16:31:30 +00:00
Shuaib Hasan Akib
3767126376 docs(docs-infra): simplify file headers in <docs-code> blocks
Removed redundant "src/app/" prefix from file headers (e.g.
"src/app/open-close.component.ts" → "open-close.component.ts")
to keep examples concise and avoid unnecessary path noise.

Aligns with prior cleanup patterns (similar to angular#65016).

(cherry picked from commit 073dcd7ffd)
2025-11-17 16:30:34 +00:00
SkyZeroZx
2c3691dc1a docs: add documentation for DOCUMENT injection token usage in SSR
(cherry picked from commit 846d50ab23)
2025-11-17 16:28:04 +00:00
Angelo Parziale
66de132f8d docs(docs-infra): add npm link documentation for library development
Add comprehensive guide for using npm link with Angular libraries, including required angular.json.

(cherry picked from commit a458a83133)
2025-11-17 16:26:01 +00:00
Aristeidis Bampakos
a8cea2349b docs: use the new format for the X account
(cherry picked from commit 73295b1087)
2025-11-17 16:22:23 +00:00
portneon
68c5556c16 docs(router): update navigation event example to use event.code
(cherry picked from commit 93d548fba4)
2025-11-17 16:08:32 +00:00
Cheng-Hsuan Tsai
5c6583536c docs(docs-infra): make show code button more discoverable when collapsed
(cherry picked from commit 48cff8c128)
2025-11-17 16:07:05 +00:00
hawkgs
9c2dccf01a docs(docs-infra): fix misaligned tutorials card
Fix the "Deferrable views" illustration which fixes the aligned within the `docs-card`.

(cherry picked from commit 6bfe107404)
2025-11-17 16:06:36 +00:00
Shuaib Hasan Akib
f7fcef1439 docs(docs-infra): simplify file headers in <docs-code> blocks
Removed redundant "src/app/" prefix from file headers (e.g.,
"src/app/open-close.component.ts" → "open-close.component.ts")
to make code examples cleaner and more focused.

(cherry picked from commit b3adb6001c)
2025-11-17 16:00:24 +00:00
SkyZeroZx
e0a6dadf1b docs: Uses the self-closing tag syntax
(cherry picked from commit 9ec964334e)
2025-11-14 16:32:39 +00:00
KAUSHIK REDDY AWALA
853fd9d4cf docs(docs-infra): update di factory provider function to use correct parameters
This PR fixes a parameter mismatch in the `apiClientFactory` function documentation example. The factory was previously passing only http and `userService` to the ``ApiClient`` constructor, but the constructor actually requires http, `baseUrl`, and `rateLimitMs` as separate parameters.

Key Changes:

Extracts baseUrl and rateLimitMs from UserService using getter methods
Updates the ApiClient instantiation to pass all three required constructor parameters
Adds a comment explaining the assumption about UserService providing these values

(cherry picked from commit 6f716e400e)
2025-11-14 16:32:11 +00:00
Alan Agius
35e7b9a125 fix(docs-infra): update firebase caching regex for generated files
The regex for caching generated files in firebase.json has been updated to
include lowercase letters and underscores in the 8-character hash. This
ensures that files with names like `chunk-CrXHmw_W.js` are correctly
cached.

(cherry picked from commit e840cd547d)
2025-11-14 08:29:04 -08:00
Jessica Janiuk
39f9e239b7 release: cut the v20.3.12 release 2025-11-14 08:13:05 -08:00
Cheng-Hsuan Tsai
01719a59ab docs(docs-infra): hide file tabs when code example is hidden
(cherry picked from commit 6d8c3fc888)
2025-11-13 23:58:13 +00:00
Matthew Beck
f689269eca Revert "fix(compiler): support one additional level of nesting in :host()"
This reverts commit 036c5d2a07.
2025-11-13 15:44:25 -08:00
Matthew Beck
7b2e6caaf8 Revert "fix(compiler): support arbitrary nesting in :host-context()"
This reverts commit f9d0818087.
2025-11-13 15:44:25 -08:00
Matthew Beck
6036eef73c Revert "fix(compiler): support commas in :host() argument"
This reverts commit 106b9040df.
2025-11-13 15:44:25 -08:00
Matthew Beck
a44658ba3e Revert "fix(compiler): support complex selectors in :nth-child()"
This reverts commit 9419ea348a.
2025-11-13 15:44:25 -08:00
Joey Perrott
fdd267a775 ci: use hardcoded global approvers group
Use a single hardcoded, within the pullapprove config file, group for global approvers instead of leveraging a github team as a group
2025-11-13 15:00:57 -08:00
Alessio Pelliccione
70da36f251 docs(docs-infra): improve theme picker accessibility and add animations
(cherry picked from commit 25320ae1eb)
2025-11-13 22:05:11 +00:00
SkyZeroZx
06bc1467b1 docs: adds guide references to router APIs
Adds `@see` tags with links to relevant guides in the router documentation.

(cherry picked from commit 718eb7bb3a)
2025-11-13 18:00:23 +00:00
Shuaib Hasan Akib
3a8fb096d6 docs: replace <docs-code> block with standard fenced code block for typescript example
Replaced the <docs-code> wrapper with a Markdown fenced code block to improve
copy/paste usability, syntax highlighting consistency, and alignment with current
documentation formatting standards.

Inspired by #65043

(cherry picked from commit 3cfd4361a5)
2025-11-13 17:34:14 +00:00
Matthieu Riegler
a02b957b60 refactor(core): remove resource flag.
This was used to migrate G3 and is no longer necessary.

(cherry picked from commit d1ab73dd87)
2025-11-13 17:12:21 +00:00