angular/packages
Alan Agius 7c42e2ebeb fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
This commit implements a security fix to prevent XSS vulnerabilities where SVG animation elements (`<animate>`, `<set>`, etc.) could be used to modify the `href` or `xlink:href` attributes of other elements to `javascript:` URLs.

The fix introduces a runtime validation step:
- A new [ɵɵValidateAttribute](cci:1://file:///usr/local/google/home/alanagius/git/angular/packages/core/src/sanitization/sanitization.ts:276:0-288:1) instruction is used when `attributeName` is bound on SVG animation elements.
- If executed, a `RuntimeError` is thrown, preventing the binding.
- The compiler now identifies `attributeName` on SVG animation elements as security-sensitive and injects this validation.

Additionally, the DOM security schema has been updated to include a comprehensive list of MathML and SVG elements that accept `href` or `xlink:href` attributes, ensuring they are correctly treated as `SecurityContext.URL` and sanitized. This prevents malicious URLs from being bound to these attributes.

http://b/463880509
2025-12-01 10:28:38 +01:00
..
animations build: move private testing helpers outside platform-browser/testing (#61571) 2025-05-21 16:04:42 +00:00
bazel build: update common's locales to use rules_js (#61630) 2025-05-26 10:18:48 +00:00
benchpress build: migrate benchpress to use rules_js (#61486) 2025-05-20 08:44:55 +00:00
common fix(http): prevent XSRF token leakage to protocol-relative URLs 2025-11-25 13:57:28 -05:00
compiler fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs 2025-12-01 10:28:38 +01:00
compiler-cli fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs 2025-12-01 10:28:38 +01:00
core fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs 2025-12-01 10:28:38 +01:00
docs/di docs: remove outdated/unsupported webworker doc (#49856) 2023-04-17 14:01:41 +00:00
elements build: remove irrelevant madge circular deps tests (#61209) 2025-05-08 09:23:47 -07:00
examples build: migrate examples to use rules_js (#61652) 2025-05-26 11:01:31 +00:00
forms build: move private testing helpers outside platform-browser/testing (#61571) 2025-05-21 16:04:42 +00:00
language-service refactor: ensure tsurge migrations have clear ownership of files (#61421) (#61612) 2025-05-22 11:43:48 -07:00
localize build: exclude esbuild metadata files from distributable packages (#61636) 2025-05-26 08:57:43 +00:00
misc/angular-in-memory-web-api build: migrate angular-in-memory-web-api to use rules_js (#61524) 2025-05-20 16:53:21 +00:00
platform-browser fix(core): introduce BootstrapContext for improved server bootstrapping (#63639) 2025-09-09 10:56:38 -07:00
platform-browser-dynamic build: migrate platform-browser and platform-browser-dynamic package to use rules_js (#61624) 2025-05-22 15:32:58 -07:00
platform-server fix(core): introduce BootstrapContext for improved server bootstrapping (#63639) 2025-09-09 10:56:38 -07:00
private/testing build: move private testing helpers outside platform-browser/testing (#61571) 2025-05-21 16:04:42 +00:00
router build: move private testing helpers outside platform-browser/testing (#61571) 2025-05-21 16:04:42 +00:00
service-worker build: exclude esbuild metadata files from distributable packages (#61636) 2025-05-26 08:57:43 +00:00
ssr refactor(core): add REQUEST, RESPONSE_INIT and REQUEST_CONTEXT tokens (#58669) 2024-11-14 14:21:21 -08:00
upgrade build: migrate upgrade to use ng_project instead of ng_module (#61320) 2025-05-14 09:34:29 -07:00
zone.js release: cut the zone.js-0.15.1 release (#61632) 2025-05-22 14:53:18 -07:00
BUILD.bazel build: use common macro to define tsconfig for service worker (#61341) 2025-05-14 10:43:26 -07:00
circular-deps-test.conf.js build: remove circular deps goldens (#60021) 2025-02-19 21:01:32 +00:00
empty.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00
goog.d.ts refactor: update license text to point to angular.dev (#57901) 2024-09-24 15:33:00 +02:00
license-banner.txt docs: update license year (#59883) 2025-03-04 19:36:48 +00:00
package.json build: prepare for compiler-cli to be using ts_project (#61237) 2025-05-09 16:01:49 +00:00
README.md docs: fix links to docs (#57391) 2024-08-19 09:20:15 -07:00
system.d.ts refactor: update packages/core:{core,src} to ts_project (#61336) 2025-05-14 08:31:33 -07:00
tsconfig-build.json build: move private testing helpers outside platform-browser/testing (#61571) 2025-05-21 16:04:42 +00:00
tsconfig-legacy-saucelabs.json feat(core): support TypeScript 5.5 (#56096) 2024-05-29 15:33:33 +02:00
tsconfig-test.json
tsconfig-tsec-base.json refactor(core): throw an error when hydration marker is missing from DOM (#51170) 2023-08-04 11:31:49 -04:00
tsconfig.json refactor: update packages/core:{core,src} to ts_project (#61336) 2025-05-14 08:31:33 -07:00
tsec-exemption.json
types.d.ts build: move private testing helpers outside platform-browser/testing (#61571) 2025-05-21 16:04:42 +00:00

Angular

The sources for this package are in the main Angular repo. Please file issues and pull requests against that repo.

Usage information and reference details can be found in Angular documentation.

License: MIT