mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
This commit implements a security fix to prevent XSS vulnerabilities where SVG animation elements (`<animate>`, `<set>`, etc.) could be used to modify the `href` or `xlink:href` attributes of other elements to `javascript:` URLs. The fix introduces a runtime validation step: - A new [ɵɵValidateAttribute](cci:1://file:///usr/local/google/home/alanagius/git/angular/packages/core/src/sanitization/sanitization.ts:276:0-288:1) instruction is used when `attributeName` is bound on SVG animation elements. - If executed, a `RuntimeError` is thrown, preventing the binding. - The compiler now identifies `attributeName` on SVG animation elements as security-sensitive and injects this validation. Additionally, the DOM security schema has been updated to include a comprehensive list of MathML and SVG elements that accept `href` or `xlink:href` attributes, ensuring they are correctly treated as `SecurityContext.URL` and sanitized. This prevents malicious URLs from being bound to these attributes. http://b/463880509 |
||
|---|---|---|
| .. | ||
| model_inputs | ||
| output_function | ||
| r3_compiler_compliance | ||
| r3_view_compiler | ||
| r3_view_compiler_bindings | ||
| r3_view_compiler_control_flow | ||
| r3_view_compiler_deferred | ||
| r3_view_compiler_di/di | ||
| r3_view_compiler_directives | ||
| r3_view_compiler_i18n | ||
| r3_view_compiler_input_outputs | ||
| r3_view_compiler_let | ||
| r3_view_compiler_listener | ||
| r3_view_compiler_providers | ||
| r3_view_compiler_styling | ||
| r3_view_compiler_template | ||
| signal_inputs | ||
| signal_queries | ||
| source_mapping | ||
| BUILD.bazel | ||
| list_golden_update_rules.ts | ||
| test_case_schema.json | ||