Elgato_dark/angular
1
0
Fork 0
mirror of https://github.com/angular/angular synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
angular/packages
History
Alan Agius f584840e2e
Some checks failed
DevInfra / assistant_to_the_branch_manager (push) Has been cancelled
Details
CI (push) / lint (push) Has been cancelled
Details
CI (push) / devtools (push) Has been cancelled
Details
CI (push) / test (push) Has been cancelled
Details
CI (push) / integration-tests (push) Has been cancelled
Details
CI (push) / adev (push) Has been cancelled
Details
CI (push) / publish-snapshots (push) Has been cancelled
Details
CI (push) / zone-js (push) Has been cancelled
Details
Update ADEV Angular CDK APIs and CLI Help / Update Angular CDK APIs and CLI Help (if necessary) (push) Has been cancelled
Details
CI (push) / adev-deploy (push) Has been cancelled
Details
fix(platform-server): add allowedHosts option to renderModule and renderApplication 
In server-side rendering (SSR) setups, passing request URLs directly to the lower-level rendering APIs `renderModule` or `renderApplication` can expose applications to Server-Side Request Forgery (SSRF) or Host Header Injection attacks via absolute-form request URLs.
To mitigate these vulnerabilities at the framework layer, this commit introduces the `allowedHosts` option to `PlatformConfig` (supporting exact hostnames, wildcards like `*.example.com`, or `*` to allow all).

During platform initialization inside `createServerPlatform`, the hostname of the request `url` is validated against the `allowedHosts` list. If the hostname is not authorized, bootstrap immediately throws a host validation error, preventing unauthorized rendering and silent SSRF bypasses.

Closes #68436
2026-05-07 16:22:46 -06:00
..
animations build: format md files 2025-11-06 10:10:22 -08:00
benchpress build: format md files 2025-11-06 10:10:22 -08:00
common fix(http): prevent XSRF token leakage to protocol-relative URLs 2025-11-25 13:54:57 -05:00
compiler fix(core): disallow event attribute bindings in host bindings unconditionally (#68468) 2026-05-06 14:43:10 -07:00
compiler-cli fix(core): disallow event attribute bindings in host bindings unconditionally (#68468) 2026-05-06 14:43:10 -07:00
core fix(core): disallow event attribute bindings in host bindings unconditionally (#68468) 2026-05-06 14:43:10 -07:00
docs/di build: format md files 2025-11-06 10:10:22 -08:00
elements refactor(core): mark VERSION as @__PURE__ for better tree-shaking 2025-11-10 12:04:08 -08:00
examples build: format md files 2025-11-06 10:10:22 -08:00
forms refactor(core): mark VERSION as @__PURE__ for better tree-shaking 2025-11-10 12:04:08 -08:00
language-service build: format md files 2025-11-06 10:10:22 -08:00
localize build: format md files 2025-11-06 10:10:22 -08:00
misc/angular-in-memory-web-api build: format md files 2025-11-06 10:10:22 -08:00
platform-browser refactor(core): mark VERSION as @__PURE__ for better tree-shaking 2025-11-10 12:04:08 -08:00
platform-browser-dynamic refactor(core): mark VERSION as @__PURE__ for better tree-shaking 2025-11-10 12:04:08 -08:00
platform-server fix(platform-server): add allowedHosts option to renderModule and renderApplication 2026-05-07 16:22:46 -06:00
private/testing build: rename defaults2.bzl to defaults.bzl (#63384) 2025-08-25 15:45:46 -07:00
router docs: adds guide references to router APIs 2025-11-13 18:00:23 +00:00
service-worker Revert "feat(service-worker): notify clients about version failures (#62718)" 2025-11-11 12:48:48 -08:00
ssr/docs build: rename defaults2.bzl to defaults.bzl (#63384) 2025-08-25 15:45:46 -07:00
upgrade refactor(core): mark VERSION as @__PURE__ for better tree-shaking 2025-11-10 12:04:08 -08:00
zone.js build: format md files 2025-11-06 10:10:22 -08:00
BUILD.bazel build: rename defaults2.bzl to defaults.bzl (#63384) 2025-08-25 15:45:46 -07:00
circular-deps-test.conf.js docs(docs-infra): lift circular imports (#63186) 2025-08-19 07:58:47 +00:00
empty.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00
goog.d.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00
license-banner.txt docs: update website URL in license banners (#64183) 2025-10-02 07:56:59 -07:00
package.json build: prepare for compiler-cli to be using ts_project (#61181) 2025-05-09 15:59:46 +00:00
README.md build: format md files 2025-11-06 10:10:22 -08:00
system.d.ts refactor: update packages/core:{core,src} to ts_project (#61275) 2025-05-14 12:01:51 +00:00
tsconfig-build.json build: migrate to using new jasmine_test (#62131) 2025-06-19 10:06:27 +02:00
tsconfig-legacy-saucelabs.json feat(core): support TypeScript 5.5 (#56096) 2024-05-29 15:33:33 +02:00
tsconfig-test.json
tsconfig.json refactor: use zone.js from npm instead of packages/zone.js throughout repo (#61977) 2025-06-10 12:02:03 -07:00
tsec-exemption.json
types.d.ts build: move private testing helpers outside platform-browser/testing (#61472) 2025-05-20 10:00:43 +00:00

README.md

Angular

The sources for this package are in the main Angular repo. Please file issues and pull requests against that repo.

Usage information and reference details can be found in Angular documentation.

License: MIT