angular

mirror of https://github.com/angular/angular synced 2026-05-24 09:28:37 +00:00

History

Doug Parker 7d58b798c6 fix(core): block creation of sensitive URI attributes from ICU messages Translators are not allowed to write HTML which creates URI attributes. I opted to ban any values going into an attribute at all, to prevent even links to malicious content, rather than just sanitizing URIs. I also converted this blocklist into an allowlist. Now, we only allowing setting known attributes (while sanitizing URI attributes). This significantly reduces risk of missing a vulnerable attribute and does not require an exhaustive list of all potential attributes. BREAKING CHANGE: Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered. (cherry picked from commit `306f367899`)		2026-02-24 18:50:41 +00:00
..
i18n_insert_before_index_spec.ts	refactor(core): convert scripts within `packages/core/test` to relative imports (#60227 )	2025-03-25 10:58:00 -07:00
i18n_parse_spec.ts	fix(core): block creation of sensitive URI attributes from ICU messages	2026-02-24 18:50:41 +00:00
i18n_spec.ts	fix(core): Clear lView from IcuIteratorState when stack is empty to prevent memory leak	2025-10-27 19:42:18 +01:00