This commit implements a security fix to prevent XSS vulnerabilities where SVG animation elements (`<animate>`, `<set>`, etc.) could be used to modify the `href` or `xlink:href` attributes of other elements to `javascript:` URLs. The fix introduces a runtime validation step: - A new [ɵɵValidateAttribute](cci:1://file:///usr/local/google/home/alanagius/git/angular/packages/core/src/sanitization/sanitization.ts:276:0-288:1) instruction is used when `attributeName` is bound on SVG animation elements. - If executed, a `RuntimeError` is thrown, preventing the binding. - The compiler now identifies `attributeName` on SVG animation elements as security-sensitive and injects this validation. Additionally, the DOM security schema has been updated to include a comprehensive list of MathML and SVG elements that accept `href` or `xlink:href` attributes, ensuring they are correctly treated as `SecurityContext.URL` and sanitized. This prevents malicious URLs from being bound to these attributes. http://b/463880509 |
||
|---|---|---|
| .aspect/rules/external_repository_action_cache | ||
| .devcontainer | ||
| .github | ||
| .husky | ||
| .ng-dev | ||
| .vscode | ||
| .yarn | ||
| adev | ||
| contributing-docs | ||
| devtools | ||
| goldens | ||
| integration | ||
| modules | ||
| packages | ||
| scripts | ||
| third_party | ||
| tools | ||
| .bazelignore | ||
| .bazelrc | ||
| .bazelversion | ||
| .clang-format | ||
| .editorconfig | ||
| .git-blame-ignore-revs | ||
| .gitattributes | ||
| .gitignore | ||
| .gitmessage | ||
| .mailmap | ||
| .npmrc | ||
| .nvmrc | ||
| .prettierignore | ||
| .prettierrc | ||
| .pullapprove.yml | ||
| .yarnrc | ||
| browser-providers.conf.d.ts | ||
| browser-providers.conf.js | ||
| BUILD.bazel | ||
| CHANGELOG.md | ||
| CHANGELOG_ARCHIVE.md | ||
| CODE_OF_CONDUCT.md | ||
| CONTRIBUTING.md | ||
| gulpfile.js | ||
| karma-js.conf.js | ||
| LICENSE | ||
| package.json | ||
| packages.bzl | ||
| pnpm-lock.yaml | ||
| pnpm-workspace.yaml | ||
| README.md | ||
| renovate.json | ||
| SECURITY.md | ||
| tsconfig-tslint.json | ||
| tslint.json | ||
| WORKSPACE | ||
| yarn.bzl | ||
| yarn.lock | ||
Angular - The modern web developer's platform
Angular is a development platform for building mobile and desktop web applications
using TypeScript/JavaScript and other languages.
Contributing Guidelines
·
Submit an Issue
·
Blog
Documentation
Get started with Angular, learn the fundamentals and explore advanced topics on our documentation website.
Advanced
Local Development
To contribute to the Angular Docs, check out the Angular.dev README
Development Setup
Prerequisites
- Install Node.js which includes Node Package Manager
Setting Up a Project
Install the Angular CLI globally:
npm install -g @angular/cli
Create workspace:
ng new [PROJECT NAME]
Run the application:
cd [PROJECT NAME]
ng serve
Angular is cross-platform, fast, scalable, has incredible tooling, and is loved by millions.
Quickstart
Ecosystem
Changelog
Learn about the latest improvements.
Upgrading
Check out our upgrade guide to find out the best way to upgrade your project.
Contributing
Contributing Guidelines
Read through our contributing guidelines to learn about our submission process, coding rules, and more.
Want to Help?
Want to report a bug, contribute some code, or improve the documentation? Excellent! Read up on our guidelines for contributing and then check out one of our issues labeled as help wanted or good first issue.
Code of Conduct
Help us keep Angular open and inclusive. Please read and follow our Code of Conduct.
Community
Join the conversation and help the community.
- X (formerly Twitter)
- Bluesky
- Discord
- YouTube
- StackOverflow
- Find a Local Meetup
Love Angular? Give our repo a star ⭐ ⬆️.