mirror of https://github.com/angular/angular synced 2026-05-24 09:28:37 +00:00

History

Alan Agius 91dc91bae4 fix(core): sanitize sensitive attributes on SVG script elements This commit updates the DOM security schema and sanitization logic to properly recognize and sanitize `href` and `xlink:href` attributes on SVG `<script>` elements.		2026-01-06 15:49:52 -05:00
..
bypass.ts	Revert "refactor(core): Add `ngDevMode` guards and new sanitization error codes"	2026-01-02 11:37:24 +01:00
html_sanitizer.ts	Revert "refactor(core): Add `ngDevMode` guards and new sanitization error codes"	2026-01-02 11:37:24 +01:00
iframe_attrs_validation.ts	fix(compiler): prevent XSS via SVG animation `attributeName` and MathML/SVG URLs	2025-12-01 10:26:56 +01:00
inert_body.ts	refactor: update license text to point to angular.dev (#57901 )	2024-09-24 15:33:00 +02:00
readme.md	build: format md files	2025-11-06 10:03:05 -08:00
sanitization.ts	fix(core): sanitize sensitive attributes on SVG script elements	2026-01-06 15:49:52 -05:00
sanitizer.ts	docs: improve core package API documentation with additional reference links	2025-11-25 10:19:36 -05:00
security.ts	refactor: update license text to point to angular.dev (#57901 )	2024-09-24 15:33:00 +02:00
url_sanitizer.ts	refactor: update license text to point to angular.dev (#57901 )	2024-09-24 15:33:00 +02:00

readme.md

Sanitization

This folder contains sanitization related code.

History

It used to be that sanitization related code used to be in @angular/platform-browser since it is platform related. While this is true, in practice the compiler schema is permanently tied to the DOM and hence the fact that sanitizer could in theory be replaced is not used in practice.

In order to better support tree shaking we need to be able to refer to the sanitization functions from the Ivy code. For this reason the code has been moved into the @angular/core.