Commit graph

125 commits

Author SHA1 Message Date
Ruslan Lekhman
d5719c2e0f fix(core): input coercion (#42803)
BREAKING CHANGE: Forms [email] input coercion

Forms [email] input value will be considered as true if it is defined with any value rather
than false and 'false'.

PR Close #42803
2022-02-07 10:52:59 -08:00
AleksanderBodurri
445fbf81fd refactor(devtools): bring the angular devtools directory into the root bazel workspace
Previously devtools used a nested workspace for its bazel configurations. This meant framework dependencies were consumed via npm.

Now devtools is part of the root bazel directory that all other files in this codebase fall under. This allows us to build devtools using local angular packages, removing the need to consume these dependencies with npn. This is useful because we no longer have to update these dependencies with an automated tool like renovate, and our CI tests will always run against the most up to date framework packages.
2022-01-26 16:35:31 -05:00
Andrew Kushnir
a84f99fd1c refactor(core): move runtime error code logic (#44398)
This commit moves some logic to make the location of runtime error codes consistent across packages. Now all error codes are located in `packages/core/src/errors.ts` file.

PR Close #44398
2022-01-06 23:43:18 +00:00
Pei Wang
adaff4109b ci: Upgrade tsec to 0.2.0. (#44205)
tools/tsec.bzl is now part of tsec. Remove from Angular repo and update
BUILD.bazel files.

PR Close #44205
2021-11-24 18:55:58 +00:00
Alex Rickabaugh
8c71b9fc42 refactor: delete the View Engine runtime (#43884)
This commit removes the View Engine runtime. Itself, this change is
relatively straightforward, but it represents the final step in a multi-year
journey. It's only possible due to the hard work of many current and former
team members and collaborators, who are too numerous to list here.

Co-authored-by: Alan Agius <alan.agius4@gmail.com>
Co-authored-by: Andrew Kushnir <akushnir@google.com>
Co-authored-by: Andrew Scott <atscott01@gmail.com>
Co-authored-by: Andrew Seguin <andrewjs@google.com>
Co-authored-by: Cédric Exbrayat <cedric@ninja-squad.com>
Co-authored-by: Charles Lyding <19598772+clydin@users.noreply.github.com>
Co-authored-by: Dave Shevitz <dshevitz@google.com>
Co-authored-by: Doug Parker <dgp1130@users.noreply.github.com>
Co-authored-by: Dylan Hunn <dylhunn@gmail.com>
Co-authored-by: Emma Twersky <emmatwersky@google.com>
Co-authored-by: George Kalpakas <kalpakas.g@gmail.com>
Co-authored-by: Igor Minar <iminar@google.com>
Co-authored-by: Jeremy Elbourn <jelbourn@google.com>
Co-authored-by: Jessica Janiuk <jessicajaniuk@google.com>
Co-authored-by: JiaLiPassion <JiaLi.Passion@gmail.com>
Co-authored-by: Joey Perrott <josephperrott@gmail.com>
Co-authored-by: Joost Koehoorn <joost.koehoorn@gmail.com>
Co-authored-by: Kristiyan Kostadinov <crisbeto@abv.bg>
Co-authored-by: Madleina Scheidegger <mscheid@google.com>
Co-authored-by: Mark Thompson <2554588+MarkTechson@users.noreply.github.com>
Co-authored-by: Minko Gechev <mgechev@gmail.com>
Co-authored-by: Paul Gschwendtner <paulgschwendtner@gmail.com>
Co-authored-by: Pawel Kozlowski <pkozlowski.opensource@gmail.com>
Co-authored-by: Pete Bacon Darwin <pete@bacondarwin.com>
Co-authored-by: Wagner Maciel <wagnermaciel@google.com>
Co-authored-by: Zach Arend <zachzach@google.com>

PR Close #43884
2021-11-23 21:10:06 +00:00
Pei Wang
916487a873 build: Auto-gen tsec tsconfig files (#43440)
Previously, tsec-related tsconfig.json files are manually managed.
Switch to automatically generated ones.

PR Close #43440
2021-09-17 17:17:34 +00:00
Pei Wang
d12d068c37 build: Turn tsec checks into bazel tests. (#43108)
Introduce two new bazel rules: tsec_test and tsec_config, for
describing the tsec checks and the tsconfig file needed for such
checks, respectively. Currently, tsec_test only checks the srcs
of a ts_library or ng_module. It does not check direct or transitive
dependencies. Also, tsconfig files need to be manually maintained
to make sure tsec can read all necessary input (including global
symbols).

PR Close #43108
2021-09-13 14:45:57 -07:00
Paul Gschwendtner
2d0ff0a5d3 ci: add lint error for files with missing trailing new-line (#42478)
For quite a while it is an unspoken convention to add a trailing
new-line files within the Angular repository. This was never enforced
automatically, but has been frequently raised in pull requests through
manual review. This commit sets up a lint rule so that this is
"officially" enforced and doesn't require manual review.

PR Close #42478
2021-06-04 13:31:03 -07:00
Paul Gschwendtner
25f763cff8 feat(core): support TypeScript 4.3 (#42022)
Switches the repository to TypeScript 4.3 and the latest
version of tslib. This involves updating the peer dependency
ranges on `typescript` for the compiler CLI and for the Bazel
package. Tests for new TypeScript features have been added to
ensure compatibility with Angular's ngtsc compiler.

PR Close #42022
2021-06-04 11:17:09 -07:00
Bjarki
980f6a4958 fix(core): address Trusted Types bug in Chrome 83 (#40815)
In Chrome 83 passing a TrustedScript to eval just returns the
TrustedScript back without evaluating it, causing the
newTrustedFunctionFor{Dev,JIT} functions to fail. This is a browser bug
that has been fixed in Chrome 84, and only affects Angular applications
running with JIT (which includes unit tests).

As a temporary workaround for users still on Chrome 83, detect when this
occurs in the newTrustedFunctionFor* functions and fall back to the
straightforward, non-Trusted Types compatible implementation. The only
combination that is left affected consists of Angular applications
running with JIT, that have explicitly configured Trusted Types in
enforcement mode, with users that are still on Chrome 83.

Also correct docstring for newTrustedFunctionForJIT.

PR Close #40815
2021-02-12 16:59:58 -08:00
Misko Hevery
6bf99e0eda fix(core): fix possible XSS attack in development through SSR (#40525)
This is a follow up fix for
894286dd0c.

It turns out that comments can be closed in several ways:
- `<!-->`
- `<!-- -->`
- `<!-- --!>`

All of the above are valid ways to close comment per:
https://html.spec.whatwg.org/multipage/syntax.html#comments

The new fix surrounds `<` and `>` with zero width space so that it
renders in the same way, but it prevents the comment to be closed eagerly.

PR Close #40525
2021-01-26 09:32:27 -08:00
Jessica Janiuk
c64a56fbcc Revert "fix(core): fix possible XSS attack in development through SSR (#40525)" (#40533)
This reverts commit bb3b315eee.

Reason for Revert: Issues with Google3 TAP Failures

PR Close #40533
2021-01-22 16:44:34 -08:00
Misko Hevery
bb3b315eee fix(core): fix possible XSS attack in development through SSR (#40525)
This is a follow up fix for
894286dd0c.

It turns out that comments can be closed in several ways:
- `<!-->`
- `<!-- -->`
- `<!-- --!>`

All of the above are valid ways to close comment per:
https://html.spec.whatwg.org/multipage/syntax.html#comments

The new fix surrounds `<` and `>` with zero width space so that it
renders in the same way, but it prevents the comment to be closed eagerly.

PR Close #40525
2021-01-22 14:19:52 -08:00
Misko Hevery
d516113803 refactor(core): Remove the need for explicit static query instruction (#40091)
Because the query now has `flags` which specify the mode, the static query
instruction can now be remove. It is simply normal query with `static` flag.

PR Close #40091
2021-01-14 13:55:02 -08:00
Misko Hevery
e32b6256ce fix(core): QueryList should not fire changes if the underlying list did not change. (#40091)
Previous implementation would fire changes `QueryList.changes.subscribe`
whenever the `QueryList` was recomputed. This resulted in artificially
high number of change notifications, as it is possible that recomputing
`QueryList` results in the same list. When the `QueryList` gets recomputed
is an implementation detail and it should not be the thing which determines
how often change event should fire.

This change introduces a new `emitDistinctChangesOnly` option for
`ContentChildren` and `ViewChildren`.

```
export class QueryCompWithStrictChangeEmitParent {
  @ContentChildren('foo', {
    // This option will become the default in the future
    emitDistinctChangesOnly: true,
  })
  foos!: QueryList<any>;
}
```

PR Close #40091
2021-01-14 13:55:02 -08:00
Alan Agius
475468cc8f refactor(core): remove custom globalThis (#40123)
This is provided by TypeScript since version 3.4

PR Close #40123
2020-12-17 11:43:28 -08:00
Alan Agius
70b4816cd5 fix(core): set ngDevMode to false when calling enableProdMode() (#40124)
The `ngDevMode` description also mentions that calling `enableProdMode` will set this the value to `false`.
4610093c87/packages/core/src/util/ng_dev_mode.ts (L22) which is currently not the case.

PR Close #40124
2020-12-16 13:20:58 -08:00
Misko Hevery
47d9b6d72d fix(core): fix possible XSS attack in development through SSR. (#40136)
Escape the content of the strings so that it can be safely inserted into a comment node.
The issue is that HTML does not specify any way to escape comment end text inside the comment.
`<!-- The way you close a comment is with "-->". -->`. Above the `"-->"` is meant to be text
not an end to the comment. This can be created programmatically through DOM APIs.

```
div.innerHTML = div.innerHTML
```
One would expect that the above code would be safe to do, but it turns out that because comment
text is not escaped, the comment may contain text which will prematurely close the comment
opening up the application for XSS attack. (In SSR we programmatically create comment nodes which
may contain such text and expect them to be safe.)
This function escapes the comment text by looking for the closing char sequence `-->` and replace
it with `-_-_>` where the `_` is a zero width space `\u200B`. The result is that if a comment
contains `-->` text it will render normally but it will not cause the HTML parser to close the
comment.

PR Close #40136
2020-12-16 09:38:08 -08:00
arturovt
df27027ecb fix(core): remove application from the testability registry when the root view is removed (#39876)
In the new behavior Angular removes applications from the testability registry when the
root view gets destroyed. This eliminates a memory leak, because before that the
TestabilityRegistry holds references to HTML elements, thus they cannot be GCed.

PR Close #22106

PR Close #39876
2020-12-02 12:56:04 -08:00
David-Emmanuel DIVERNOIS
c7f4abf18a feat(common): allow any Subscribable in async pipe (#39627)
As only methods from the Subscribable interface are currently used in the
implementation of the async pipe, it makes sense to make it explicit so
that it works successfully with any other implementation instead of
only Observable.

PR Close #39627
2020-11-23 08:28:11 -08:00
Pete Bacon Darwin
7bcfc0db09 refactor(core): remove isObservable TODO (#39669)
This commit removes the TODO comment that proposed
that we use the built-in RxJS `isObservable()` function.

This is not a viable approach since the built-in function
requires that the `obj` contains additional methods that
our "observable" types (such as `EventEmitter`) do not
necessarily have.

See #39643 for more information.

PR Close #39669
2020-11-16 09:28:12 -08:00
Bjarki
f54662e931 fix(core): mark Trusted Types as declarations (#39471)
Angular-internal type definitions for Trusted Types were added in #39211.
When compiled using the Closure compiler with certain optimization
flags, identifiers from these type definitions (such as createPolicy)
are currently uglified and renamed to shorter strings. This causes
Angular applications compiled in this way to fail to create a Trusted
Types policy, and fall bock to using strings.

To fix this, mark the internal Trusted Types definitions as declarations
using the "declare" keyword. Also convert types to interfaces, for
the reasons explained in https://ncjamieson.com/prefer-interfaces/

PR Close #39471
2020-10-29 11:58:48 -07:00
Andrew Kushnir
9186ad84ae refactor(core): remove unused i18n placeholder for projection (#39172)
Runtime i18n logic doesn't distinguish `<ng-content>` tag placeholders and regular element tag
placeholders in i18n messages, so there is no need to have a special marker for projection-based
placeholders and element markers can be used instead.

PR Close #39172
2020-10-27 10:39:37 -07:00
Misko Hevery
ca11ef2376 fix(core): Store ICU state in LView rather than in TView (#39233)
Before this refactoring/fix the ICU would store the current selected
index in `TView`. This is incorrect, since if ICU is in `ngFor` it will
cause issues in some circumstances. This refactoring properly moves the
state to `LView`.

closes #37021
closes #38144
closes #38073

PR Close #39233
2020-10-21 18:33:00 -07:00
Misko Hevery
61d56be83e refactor(core): Change TemplateFixture to named parameters (#39233)
`TemplateFixture` used to have positional parameters and many tests got
hard to read as number of parameters reach 10+ with many of them `null`.
This refactoring changes `TemplateFixture` to take named parameters
which improves usability and readability in tests.

PR Close #39233
2020-10-21 18:32:59 -07:00
Bjarki
49197d12a0 feat(core): create a Trusted Types policy for bypass conversions (#39218)
When an application uses a custom sanitizer or one of the
bypassSecurityTrust functions, Angular has no way of knowing whether
they are implemented in a secure way. (It doesn't even know if they're
introduced by the application or by a shady third-party dependency.)
Thus using Angular's main Trusted Types policy to bless values coming
from these two sources would undermine the security that Trusted Types
brings.

Instead, introduce a Trusted Types policy called angular#unsafe-bypass
specifically for blessing values from these sources. This allows an
application to enforce Trusted Types even if their application uses a
custom sanitizer or the bypassSecurityTrust functions, knowing that
compromises to either of these two sources may lead to arbitrary script
execution. In the future Angular will provide a way to implement
custom sanitizers in a manner that makes better use of Trusted Types.

PR Close #39218
2020-10-16 08:13:52 -07:00
mcalmus
4610093c87 fix(core): guard reading of global ngDevMode for undefined. (#36055)
When reading globals such as `ngDevMode` the read should be guarded by `typeof ngDevMode` otherwise it will throw if not
defined in `"use strict"` mode.

PR Close #36055
2020-10-16 08:12:22 -07:00
Bjarki
9bfb508b87 build: replace @types/trusted-types dep with minimal type defs (#39211)
The @types/trusted-types type definitions are currently imported in
types.d.ts, which causes them to eventually be imported in core.d.ts.
This forces anyone compiling against @angular/core to provide the
@types/trusted-types package in their compilation unit, which we don't
want.

To address this, get rid of the @types/trusted-types and instead import
a minimal version of the Trusted Types type definitions directly into
Angular's codebase.

Update the existing references to Trusted Types to point to the new
definitions.

PR Close #39211
2020-10-15 09:08:00 -07:00
Bjarki
f6d5cdfbd7 fix(core): use Trusted Types policy in named_array_type (#39209)
Address a Trusted Types violation that occurs in createNamedArrayType
during development mode. Instead of passing strings directly to "new
Function", use the Trusted Types compatible function constructor exposed
by the Trusted Types policy.

PR Close #39209
2020-10-14 09:33:48 -07:00
Bjarki
5913e5c4e8 feat(core): add Trusted Types workaround for Function constructor (#39209)
Chrome currently does not support passing TrustedScript to the Function
constructor, and instead fails with a Trusted Types violation when
called. As the Function constructor is used in a handful of places
within Angular, such as in the JIT compiler and named_array_type, the
workaround proposed on the following page is implemented:
https://github.com/w3c/webappsec-trusted-types/wiki/Trusted-Types-for-function-constructor

To be precise, it constructs a string representing an anonymous function
in a way that is equivalent to what the Function constructor does,
promotes it to a TrustedScript and then calls eval.

To facilitate backwards compatibility, new Function is used directly in
environments that do not support Trusted Types.

PR Close #39209
2020-10-14 09:33:47 -07:00
Bjarki
0875fd2360 feat(core): create internal Trusted Types module (#39207)
Add a module that provides a Trusted Types policy for use internally by
Angular. The policy is created lazily and stored in a module-local
variable. For now the module does not allow configuring custom policies
or policy names, and instead creates its own policy with 'angular' as a
fixed policy name. This is to more easily support tree-shakability.

Helper functions for unsafely converting strings to each of the three
Trusted Types are also introduced, with documentation that make it clear
that their use requires a security review. When Trusted Types are not
available, these helper functions fall back to returning strings.

PR Close #39207
2020-10-13 11:23:36 -07:00
crisbeto
a80f654af9 fix(core): error if CSS custom property in host binding has number in name (#38432)
Fixes an error if a CSS custom property, used inside a host binding, has a
number in its name. The error is thrown because the styling parser only
expects characters from A to Z,dashes, underscores and a handful of other
characters.

Fixes #37292.

PR Close #38432
2020-08-13 10:35:07 -07:00
Misko Hevery
6d8c73a4d6 fix(core): Store the currently selected ICU in LView (#38345)
The currently selected ICU was incorrectly being stored it `TNode`
rather than in `LView`.

Remove: `TIcuContainerNode.activeCaseIndex`
Add: `LView[TIcu.currentCaseIndex]`

PR Close #38345
2020-08-10 12:41:17 -07:00
Sonu Kapoor
f4fac406b9 docs(core): fixes minor typo in initNgDevMode function docs (#38042)
PR Close #38042
2020-07-14 13:17:32 -07:00
pkozlowski-opensource
bbe3543c69 refactor(core): remove duplicated WrappedValue class (#37940)
Before this refactoring we had the WrappedValue class in
2 separate places:
- packages/core/src/change_detection/change_detection_util.ts
- packages/core/src/util/WrappedValue.ts

This commit removes the duplicate, leaving the class that has
the deprecation notice.

PR Close #37940
2020-07-08 16:02:16 -07:00
Andrew Scott
4456e7e4de refactor(core): remove looseIdentical in favor of built-in Object.is (#37191)
Remove `looseIdentical` implementation and instead use the ES2015 `Object.is` in its place.
They behave exactly the same way except for `+0`/`-0`.
`looseIdentical(+0, -0)` => `true`
`Object.is(+0, -0)` => `false`

Other than the difference noted above, this is not be a breaking change because:
1. `looseIdentical` is a private API
2. ES2015 is listed as a mandatory polyfill in the [browser support
guide](https://angular.io/guide/browser-support#mandatory-polyfills)
3. Also note that `Ivy` already uses `Object.is` in `bindingUpdated`.

PR Close #37191
2020-06-01 17:19:17 -04:00
AleksanderBodurri
c3651cec0b docs(core): fix typo in decorators.ts relating to the use of Object.defineProperty. (#37369)
Previously there was a typo in a comment within the PropDecorator function relating to and justifying the use of Object.defineProperty. This PR clears up the wording that comment

PR Close #37369
2020-06-01 17:18:08 -04:00
Joey Perrott
d1ea1f4c7f build: update license headers to reference Google LLC (#37205)
Update the license headers throughout the repository to reference Google LLC
rather than Google Inc, for the required license headers.

PR Close #37205
2020-05-26 14:26:58 -04:00
pkozlowski-opensource
ddaa124162 refactor(core): remove _tViewNode field from ViewRef (#36814)
The _tViewNode field (that was marked as internal) on the ViewRef is not
necessery as a reference to a relevant TView is available as a local
variable.

PR Close #36814
2020-05-14 15:35:37 -07:00
Joey Perrott
698b0288be build: reformat repo to new clang@1.4.0 (#36613)
PR Close #36613
2020-04-14 12:08:36 -07:00
danranVm
47bfec4e46 feat(core): add isPromise generic (#34168)
This commit adds generic to `isPromise` function to help with type inference.

PR Close #34168
2020-03-20 10:15:01 -07:00
JoostK
e342ffd855 fix(core): adhere to bootstrap options for JIT compiled components (#35534)
When using `platformBrowserDynamic().bootstrapModule()`, it is possible
to set `defaultEncapsulation` and `preserveWhitespaces` as default
configuration to influence how components are compiled. When compiling
components in JIT with Ivy, these options were not taken into account.

This commit publishes the options to be globally available, so that the
lazy compilation of JIT components has access to the configured
bootstrap options. Note that this approach does not allow changing the
options once they have been set, as Ivy's compilation model does not
allow for multiple compilations to exist at the same time.

For applications that bootstrap multiple modules, it is now required
to provide the exact same bootstrap options. An error is logged if
incompatible bootstrap options are provided, in which case the updated
options will be ignored.

Fixes #35230
Resolved FW-1838

PR Close #35534
2020-03-19 08:57:39 -07:00
Misko Hevery
f5c7e883a9 refactor(core): Take advantage of 'assert functions' for ngDevMode asserts (#35964)
As of TypeScript 3.7, TypeScript supports [Assert Functions](https://www.typescriptlang.org/docs/handbook/release-notes/typescript-3-7.html#assertion-functions). This change adds assert types to our `assert*` functions.

We can't fully take advantage of this due to [Assert functions do not constraint type when they are guarded by a truthy expression.](https://github.com/microsoft/TypeScript/issues/37295)

PR Close #35964
2020-03-10 21:01:26 -04:00
Andrew Scott
c7d0567d37 Revert "docs: add comment markers for internal goog.define replacement (#32795)" (#35830)
This reverts commit 32b6c2285e as this is
no longer used.

PR Close #35830
2020-03-03 09:34:17 -08:00
Doug Parker
dc6a7918e3 fix(core): add noSideEffects() to make*Decorator() functions (#35769)
This causes all the `make*Decorator()` functions to be considered pure and to be eligible for associated tree shaking by Closure.

PR Close #35769
2020-03-03 08:50:03 -08:00
Doug Parker
4052dd8188 refactor(core): update noSideEffects() to return the result of the inner function (#35769)
This is useful for propagating return values without them being converted to a string. It still provides the same guarantees to Closure, which will assume that the function invoked is pure and can be tree-shaken accordingly.

PR Close #35769
2020-03-03 08:50:03 -08:00
Misko Hevery
40035380e7 fix(core): Remove debugger statement when assert is thrown (#35763)
Fix #35470
Fix FW-1925

PR Close #35763
2020-02-28 12:23:50 -08:00
Miško Hevery
c1cf46c5c3 refactor(ivy): clean of #34804 from previous merge (#35022)
This is a follow up for https://github.com/angular/angular/pull/34804

PR Close #35022
2020-01-29 16:35:08 -08:00
Misko Hevery
ee8b8f52aa feat(ivy): Change static priority resolution to be same level as directive it belongs to (#34938)
This change changes the priority order of static styling.

Current priority:
```
(least priority)
- Static
  - Component
  - Directives
  - Template
- Dynamic Binding
  - Component
    - Map/Interpolation
    - Property
  - Directives
    - Map/Interpolation
    - Property
  - Template
    - Map/Interpolation
    - Property
(highest priority)
```

The issue with the above priority is this use case:

```
<div style="color: red;" directive-which-sets-color-blue>
```
In the above case the directive will win and the resulting color will be `blue`. However a small change of adding interpolation to the example like so. (Style interpolation is coming in https://github.com/angular/angular/pull/34202)
```
<div style="color: red; width: {{exp}}px" directive-which-sets-color-blue>
```
Changes the priority from static binding to interpolated binding which means now the resulting color is `red`. It is very surprising that adding an unrelated interpolation and style can change the `color` which was not changed. To fix that we need to make sure that the static values are associated with priority of the source (directive or template) where they were declared. The new resulting priority is:

```
(least priority)
- Component
  - Static
  - Map/Interpolation
  - Property
- Directives
  - Static
  - Map/Interpolation
  - Property
- Template
  - Static
  - Map/Interpolation
  - Property
(highest priority)
```

PR Close #34938
2020-01-29 15:41:47 -08:00
Misko Hevery
cf07d428a1 refactor(ivy): make assert conditions more readable (#34938)
PR Close #34938
2020-01-29 15:41:47 -08:00