angular/packages/core
Alan Agius 83a640516f fix(core): disallow event attribute bindings in host bindings unconditionally (#68469)
Moves the event attribute validation check outside of `ngDevMode` in the `elementAttributeInternal` instruction to ensure that bindings to event attributes like `on*` are always blocked at runtime.

Previously, this check was only performed when `ngDevMode` was `true`, which could allow attacker-controlled CMS data to be bound to event attributes in production mode, causing browser-executed XSS.

Fixes #68419

PR Close #68469
2026-05-07 15:25:14 -07:00
..
global refactor(docs-infra): use interpolation instead of innerHTML for better perf (#58913) 2024-11-27 10:59:18 +01:00
primitives build: migrate more targets of @angular/core to ts_project (#61420) 2025-05-16 15:53:27 +00:00
rxjs-interop build: migrate all ts_library in packages/core/test (#61571) 2025-05-21 16:04:42 +00:00
schematics fix(core): introduce BootstrapContext for improved server bootstrapping (#63639) 2025-09-09 10:56:38 -07:00
src fix(core): disallow event attribute bindings in host bindings unconditionally (#68469) 2026-05-07 15:25:14 -07:00
test fix(core): disallow event attribute bindings in host bindings unconditionally (#68469) 2026-05-07 15:25:14 -07:00
testing build: migrate platform-browser and platform-browser-dynamic package to use rules_js (#61624) 2025-05-22 15:32:58 -07:00
BUILD.bazel build: migrate more targets of @angular/core to ts_project (#61420) 2025-05-16 15:53:27 +00:00
index.ts refactor: update packages/core:{core,src} to ts_project (#61336) 2025-05-14 08:31:33 -07:00
package.json build: update zone.js peer dependency for core package to 0.15.0 (#57431) 2024-08-21 13:17:52 -07:00
PACKAGE.md
public_api.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00
tsconfig-build.json build: migrate more targets of @angular/core to ts_project (#61420) 2025-05-16 15:53:27 +00:00
tsconfig-test.json build: migrate more targets of @angular/core to ts_project (#61420) 2025-05-16 15:53:27 +00:00