angular/packages
Alan Agius 8569db8875
Some checks failed
DevInfra / assistant_to_the_branch_manager (push) Has been cancelled
CI (push) / lint (push) Has been cancelled
CI (push) / devtools (push) Has been cancelled
CI (push) / test (push) Has been cancelled
CI (push) / integration-tests (push) Has been cancelled
CI (push) / adev (push) Has been cancelled
CI (push) / publish-snapshots (push) Has been cancelled
CI (push) / zone-js (push) Has been cancelled
Update ADEV Angular CDK APIs and CLI Help / Update Angular CDK APIs and CLI Help (if necessary) (push) Has been cancelled
CI (push) / adev-deploy (push) Has been cancelled
fix(platform-server): add allowedHosts option to renderModule and renderApplication
In server-side rendering (SSR) setups, passing request URLs directly to the lower-level rendering APIs `renderModule` or `renderApplication` can expose applications to Server-Side Request Forgery (SSRF) or Host Header Injection attacks via absolute-form request URLs.
To mitigate these vulnerabilities at the framework layer, this commit introduces the `allowedHosts` option to `PlatformConfig` (supporting exact hostnames, wildcards like `*.example.com`, or `*` to allow all).

During platform initialization inside `createServerPlatform`, the hostname of the request `url` is validated against the `allowedHosts` list. If the hostname is not authorized, bootstrap immediately throws a host validation error, preventing unauthorized rendering and silent SSRF bypasses.

Closes #68436
2026-05-07 16:30:48 -06:00
..
animations build: move private testing helpers outside platform-browser/testing (#61571) 2025-05-21 16:04:42 +00:00
bazel build: update common's locales to use rules_js (#61630) 2025-05-26 10:18:48 +00:00
benchpress build: migrate benchpress to use rules_js (#61486) 2025-05-20 08:44:55 +00:00
common fix(http): prevent XSRF token leakage to protocol-relative URLs 2025-11-25 13:57:28 -05:00
compiler fix(compiler): disallow translations of iframe src 2026-03-12 12:44:18 -06:00
compiler-cli fix(core): sanitize sensitive attributes on SVG script elements 2026-01-06 15:54:15 -05:00
core fix(core): disallow event attribute bindings in host bindings unconditionally (#68469) 2026-05-07 15:25:14 -07:00
docs/di docs: remove outdated/unsupported webworker doc (#49856) 2023-04-17 14:01:41 +00:00
elements build: remove irrelevant madge circular deps tests (#61209) 2025-05-08 09:23:47 -07:00
examples build: migrate examples to use rules_js (#61652) 2025-05-26 11:01:31 +00:00
forms build: move private testing helpers outside platform-browser/testing (#61571) 2025-05-21 16:04:42 +00:00
language-service refactor: ensure tsurge migrations have clear ownership of files (#61421) (#61612) 2025-05-22 11:43:48 -07:00
localize build: exclude esbuild metadata files from distributable packages (#61636) 2025-05-26 08:57:43 +00:00
misc/angular-in-memory-web-api build: migrate angular-in-memory-web-api to use rules_js (#61524) 2025-05-20 16:53:21 +00:00
platform-browser fix(core): introduce BootstrapContext for improved server bootstrapping (#63639) 2025-09-09 10:56:38 -07:00
platform-browser-dynamic build: migrate platform-browser and platform-browser-dynamic package to use rules_js (#61624) 2025-05-22 15:32:58 -07:00
platform-server fix(platform-server): add allowedHosts option to renderModule and renderApplication 2026-05-07 16:30:48 -06:00
private/testing build: move private testing helpers outside platform-browser/testing (#61571) 2025-05-21 16:04:42 +00:00
router build: move private testing helpers outside platform-browser/testing (#61571) 2025-05-21 16:04:42 +00:00
service-worker build: exclude esbuild metadata files from distributable packages (#61636) 2025-05-26 08:57:43 +00:00
ssr refactor(core): add REQUEST, RESPONSE_INIT and REQUEST_CONTEXT tokens (#58669) 2024-11-14 14:21:21 -08:00
upgrade build: migrate upgrade to use ng_project instead of ng_module (#61320) 2025-05-14 09:34:29 -07:00
zone.js release: cut the zone.js-0.15.1 release (#61632) 2025-05-22 14:53:18 -07:00
BUILD.bazel build: use common macro to define tsconfig for service worker (#61341) 2025-05-14 10:43:26 -07:00
circular-deps-test.conf.js build: remove circular deps goldens (#60021) 2025-02-19 21:01:32 +00:00
empty.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00
goog.d.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00
license-banner.txt docs: update license year (#59883) 2025-03-04 19:36:48 +00:00
package.json build: prepare for compiler-cli to be using ts_project (#61237) 2025-05-09 16:01:49 +00:00
README.md docs: fix links to docs (#57391) 2024-08-19 09:20:15 -07:00
system.d.ts refactor: update packages/core:{core,src} to ts_project (#61336) 2025-05-14 08:31:33 -07:00
tsconfig-build.json build: move private testing helpers outside platform-browser/testing (#61571) 2025-05-21 16:04:42 +00:00
tsconfig-legacy-saucelabs.json feat(core): support TypeScript 5.5 (#56096) 2024-05-29 15:33:33 +02:00
tsconfig-test.json
tsconfig-tsec-base.json refactor(core): throw an error when hydration marker is missing from DOM (#51170) 2023-08-04 11:31:49 -04:00
tsconfig.json refactor: update packages/core:{core,src} to ts_project (#61336) 2025-05-14 08:31:33 -07:00
tsec-exemption.json
types.d.ts build: move private testing helpers outside platform-browser/testing (#61571) 2025-05-21 16:04:42 +00:00

Angular

The sources for this package are in the main Angular repo. Please file issues and pull requests against that repo.

Usage information and reference details can be found in Angular documentation.

License: MIT