angular/packages/compiler
Alan Agius a9bcffdbc7 fix(core): disallow event attribute bindings in host bindings unconditionally (#68468)
Moves the event attribute validation check outside of `ngDevMode` in the `elementAttributeInternal` instruction to ensure that bindings to event attributes like `on*` are always blocked at runtime.

Previously, this check was only performed when `ngDevMode` was `true`, which could allow attacker-controlled CMS data to be bound to event attributes in production mode, causing browser-executed XSS.

Fixes #68419

PR Close #68468
2026-05-06 14:43:10 -07:00
..
design build: format md files 2025-11-06 10:10:22 -08:00
src fix(core): disallow event attribute bindings in host bindings unconditionally (#68468) 2026-05-06 14:43:10 -07:00
test fix(compiler): disallow translations of iframe src 2026-03-12 12:30:55 -06:00
BUILD.bazel build: rename defaults2.bzl to defaults.bzl (#63384) 2025-08-25 15:45:46 -07:00
compiler.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00
index.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00
package.json fix(core): update min Node.js support to 20.19, 22.12, and 24.0 (#61499) 2025-05-20 14:15:13 +00:00
public_api.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00