mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
4321c21a53
Previously, `__Zone_symbol_prefix` was read directly from `globalThis` without validating its type: const symbolPrefix = global['__Zone_symbol_prefix'] || '__zone_symbol__'; This made it possible for DOM clobbering to interfere with Zone’s internal symbol handling. If an attacker injected a DOM element with the same name (for example via a form field or anchor ID), `global['__Zone_symbol_prefix']` could resolve to a DOM element instead of a string. Because DOM elements are truthy, the fallback would not be used, and Zone would construct invalid internal keys (e.g. “[object HTMLFormElement]...”), breaking patching and lookup logic in subtle ways. After the fix, `rawPrefix` is only accepted when it is a string matching `/^[a-zA-Z0-9_]+$/`. Any other value (DOM nodes, empty strings, or strings with unexpected characters) is rejected and replaced with the default `'__zone_symbol__'`. This prevents DOM clobbering from influencing Zone’s internal symbol generation and keeps the patching system stable even in the presence of malicious or unexpected global values. |
||
|---|---|---|
| .. | ||
| browser | ||
| common | ||
| extra | ||
| jasmine | ||
| jest | ||
| mix | ||
| mocha | ||
| node | ||
| rxjs | ||
| testing | ||
| vitest | ||
| zone-spec | ||
| BUILD.bazel | ||
| zone-global.d.ts | ||
| zone-impl.ts | ||
| zone.api.extensions.ts | ||
| zone.configurations.api.ts | ||
| zone.ts | ||