Alan Agius ede7c58a2a fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash URLs ... The `parseUrl` function in `ServerPlatformLocation` uses `new URL(urlStr, origin)` to parse incoming request URLs during SSR. Per the WHATWG URL specification, protocol-relative URLs (`//evil.com`) and backslash-prefixed URLs (`/\evil.com`) can override the hostname component of the base URL. This vulnerability typically manifests in SSR setups (e.g., Express) where `req.url` is passed directly to `renderApplication` or `renderModule`: ```typescript // Example usage in an Express server handling: http://localhost:4000//evil.com app.get('*', async (req, res) => { const html = await renderApplication(bootstrap, { document: template, url: req.url, // req.url is "//evil.com" }); res.send(html); }); ```		2026-04-15 10:23:52 -04:00
..
BUILD.bazel	build: consolidate domino bundling in platform-server	2026-03-25 13:31:05 -07:00
dom_utils.ts	fix(core): Ensure application remains unstable during bootstrap (#62631)	2025-07-15 07:52:36 -07:00
event_replay_spec.ts	feat(platform-browser): make incremental hydration default behavior	2026-04-09 18:53:13 +03:00
full_app_hydration_spec.ts	feat(platform-browser): make incremental hydration default behavior	2026-04-09 18:53:13 +03:00
hydration_utils.ts	feat(core): introduce BootstrapContext for improved server bootstrapping (#63562)	2025-09-09 10:57:09 -07:00
incremental_hydration_spec.ts	feat(platform-browser): make incremental hydration default behavior	2026-04-09 18:53:13 +03:00
integration_spec.ts	refactor(platform-server): split zone/zoneless tests.	2026-02-13 09:41:10 -08:00
platform_location_spec.ts	fix(platform-server): prevent SSRF bypasses via protocol-relative and backslash URLs	2026-04-15 10:23:52 -04:00
render_spec.ts	refactor: clean up explicit standalone flags from tests (#63963)	2025-09-22 14:27:34 +00:00
transfer_state_spec.ts	fix(core): escape forward slashes in transfer state to prevent crawler indexing	2026-04-13 13:54:55 +03:00