mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
Moves the event attribute validation check outside of `ngDevMode` in the `elementAttributeInternal` instruction to ensure that bindings to event attributes like `on*` are always blocked at runtime. Previously, this check was only performed when `ngDevMode` was `true`, which could allow attacker-controlled CMS data to be bound to event attributes in production mode, causing browser-executed XSS. Fixes #68419 PR Close #68468 |
||
|---|---|---|
| .. | ||
| linker | ||
| private | ||
| src | ||
| test | ||
| BUILD.bazel | ||
| esbuild.config.js | ||
| index.ts | ||
| package.json | ||
| tsconfig-test.json | ||
| tsconfig.json | ||