mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
Moves the event attribute validation check outside of `ngDevMode` in the `elementAttributeInternal` instruction to ensure that bindings to event attributes like `on*` are always blocked at runtime. Previously, this check was only performed when `ngDevMode` was `true`, which could allow attacker-controlled CMS data to be bound to event attributes in production mode, causing browser-executed XSS. Fixes #68419 PR Close #68469 |
||
|---|---|---|
| .. | ||
| global | ||
| primitives | ||
| rxjs-interop | ||
| schematics | ||
| src | ||
| test | ||
| testing | ||
| BUILD.bazel | ||
| index.ts | ||
| package.json | ||
| PACKAGE.md | ||
| public_api.ts | ||
| tsconfig-build.json | ||
| tsconfig-test.json | ||