angular/packages/core/test/acceptance
Alan Agius d1ca8ae043 fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs
This commit implements a security fix to prevent XSS vulnerabilities where SVG animation elements (`<animate>`, `<set>`, etc.) could be used to modify the `href` or `xlink:href` attributes of other elements to `javascript:` URLs.

The fix introduces a runtime validation step:
- A new [ɵɵValidateAttribute](cci:1://file:///usr/local/google/home/alanagius/git/angular/packages/core/src/sanitization/sanitization.ts:276:0-288:1) instruction is used when `attributeName` is bound on SVG animation elements.
- If executed, a `RuntimeError` is thrown, preventing the binding.
- The compiler now identifies `attributeName` on SVG animation elements as security-sensitive and injects this validation.

Additionally, the DOM security schema has been updated to include a comprehensive list of MathML and SVG elements that accept `href` or `xlink:href` attributes, ensuring they are correctly treated as `SecurityContext.URL` and sanitized. This prevents malicious URLs from being bound to these attributes.

http://b/463880509
2025-12-01 10:29:30 +01:00
..
authoring fix(core): Fixes animations in conjunction with content projection (#63776) 2025-10-02 16:56:01 +00:00
selectorless build: rename defaults2.bzl to defaults.bzl (#63384) 2025-08-25 15:45:46 -07:00
after_render_effect_spec.ts fix(core): destroying the effect on afterRenderEffect (#63001) 2025-08-08 08:46:46 -07:00
after_render_hook_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
animation_spec.ts fix(core): skip leave animations on view swaps 2025-11-06 09:46:52 -08:00
attach_source_locations_spec.ts refactor(core): convert scripts within packages/core/test to relative imports (#60227) 2025-03-25 10:58:00 -07:00
attributes_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
bootstrap_spec.ts refactor(platform-browser): replace platform-browser-dynamic with platform-browser (#61498) 2025-05-21 14:01:49 +00:00
BUILD.bazel refactor(core): move profile_types.ts to primtives 2025-11-06 22:22:37 +00:00
change_detection_signals_in_zones_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
change_detection_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
change_detection_transplanted_view_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
chrome_dev_tools_performance_spec.ts Revert "refactor(core): let the profiler handle asymmetric events leniently" 2025-11-17 18:10:40 +00:00
common_integration_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
component_spec.ts refactor(compiler-cli): Add a diagnostic to detect forbiden invocations of required initializers (#63614) 2025-09-15 19:34:32 +00:00
content_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
control_flow_for_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
control_flow_if_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
control_flow_switch_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
copy_definition_feature_spec.ts refactor(core): convert scripts within packages/core/test to relative imports (#60227) 2025-03-25 10:58:00 -07:00
create_component_spec.ts fix(core): InputBinding marks component a dirty. (#62613) 2025-07-14 15:46:29 -07:00
csp_spec.ts refactor(core): convert scripts within packages/core/test to relative imports (#60227) 2025-03-25 10:58:00 -07:00
defer_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
defer_utils_spec.ts refactor(core): convert scripts within packages/core/test to relative imports (#60227) 2025-03-25 10:58:00 -07:00
destroy_ref_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
di_forward_ref_spec.ts refactor(core): include DI path into cyclic dependency error message (#50902) 2025-07-10 10:35:12 -07:00
di_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
directive_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
discover_utils_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
embedded_views_spec.ts refactor(core): convert scripts within packages/core/test to relative imports (#60227) 2025-03-25 10:58:00 -07:00
env_injector_standalone_spec.ts refactor(core): convert scripts within packages/core/test to relative imports (#60227) 2025-03-25 10:58:00 -07:00
environment_injector_spec.ts refactor(core): convert scripts within packages/core/test to relative imports (#60227) 2025-03-25 10:58:00 -07:00
exports_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
hmr_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
host_binding_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
host_directives_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
i18n_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
inherit_definition_feature_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
injector_profiler_spec.ts build: migrate all ts_library in packages/core/test (#61472) 2025-05-20 10:00:43 +00:00
integration_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
internal_spec.ts refactor(core): convert scripts within packages/core/test to relative imports (#60227) 2025-03-25 10:58:00 -07:00
let_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
lifecycle_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
listener_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
local_compilation_spec.ts refactor(core): convert scripts within packages/core/test to relative imports (#60227) 2025-03-25 10:58:00 -07:00
ng_module_spec.ts refactor(platform-browser): replace platform-browser-dynamic with platform-browser (#61498) 2025-05-21 14:01:49 +00:00
ngmodule_scope_spec.ts refactor(platform-browser): replace platform-browser-dynamic with platform-browser (#61498) 2025-05-21 14:01:49 +00:00
outputs_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
pending_tasks_spec.ts fix(core): release hasPendingTasks observers (#59723) 2025-04-02 18:26:06 +00:00
pipe_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
profiler_spec.ts Revert "fix(core): notify profiler events in case of errors" 2025-11-17 18:10:40 +00:00
property_binding_spec.ts fix(core): do not rename ARIA property bindings to attributes (#64089) 2025-09-25 14:51:13 -04:00
property_interpolation_spec.ts refactor(core): replace propertyInterpolateX with property (#61639) 2025-05-26 09:21:23 +00:00
providers_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
pure_function_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
query_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
renderer_factory_spec.ts refactor(platform-browser): remove unused Platform ID dependency from DomRendererFactory2 2025-11-06 20:00:49 +00:00
router_integration_spec.ts refactor(core): convert scripts within packages/core/test to relative imports (#60227) 2025-03-25 10:58:00 -07:00
security_spec.ts fix(compiler): prevent XSS via SVG animation attributeName and MathML/SVG URLs 2025-12-01 10:29:30 +01:00
signal_debug_spec.ts fix(core): properly handle the case where getSignalGraph is called on a componentless NodeInjector (#60772) 2025-06-04 12:16:47 -04:00
standalone_injector_spec.ts refactor(core): convert scripts within packages/core/test to relative imports (#60227) 2025-03-25 10:58:00 -07:00
standalone_spec.ts feat(compiler): support the in keyword in Binary expression (#58432) 2025-04-22 21:44:12 +02:00
styling_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
template_ref_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
text_spec.ts refactor(core): convert scripts within packages/core/test to relative imports (#60227) 2025-03-25 10:58:00 -07:00
tracing_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
view_container_ref_spec.ts fix(core): update animation scheduling (#64441) 2025-10-16 17:35:51 +00:00
view_insertion_spec.ts refactor(core): Update tests for zoneless by default (#63672) 2025-09-09 15:07:24 -07:00
view_ref_spec.ts refactor(core): convert scripts within packages/core/test to relative imports (#60227) 2025-03-25 10:58:00 -07:00