Backport security 20.3.x#68926
Closed
alan-agius4 wants to merge 16 commits into
angular:20.3.xangular/angular:20.3.xfrom
alan-agius4:backport-security-20.3.xalan-agius4/angular:backport-security-20.3.xCopy head branch name to clipboard
Closed
Backport security 20.3.x#68926alan-agius4 wants to merge 16 commits intoangular:20.3.xangular/angular:20.3.xfrom alan-agius4:backport-security-20.3.xalan-agius4/angular:backport-security-20.3.xCopy head branch name to clipboard
alan-agius4 wants to merge 16 commits into
angular:20.3.xangular/angular:20.3.xfrom
alan-agius4:backport-security-20.3.xalan-agius4/angular:backport-security-20.3.xCopy head branch name to clipboard
Conversation
…hema contexts Refactors the element security schema lookups and runtime attribute validation to consistently account for SVG and MathML namespaces. This improves the modularity and accuracy of security context mapping during template compilation and runtime constant evaluation, eliminating redundant or false-positive lifecycle checks.
…time i18n attribute validation Updates `DomElementSchemaRegistry` to strip `:svg:` and `:math:` namespace prefixes from tag names before querying `SECURITY_SCHEMA` at compile-time. This allows SVG and MathML attributes to correctly match their security contexts during compilation.
…ompilation Ensures that namespaced <script> elements (such as :svg:script) are correctly classified as PreparsedElementType.SCRIPT by the template preparser and stripped during compilation to prevent potential XSS vulnerabilities. Consequently, obsolete security schema mappings and runtime sanitization checks for <script> attributes have been removed since these elements are never present in compiled template outputs.
Removes the `should throw error on translated SVG script ResourceURL attributes` integration test from `security_integration_spec.ts`. This test is now obsolete because SVG `<script>` elements are stripped during template compilation (implemented in 90494cd). As a result, they are no longer present in the compiled template to trigger runtime sanitization, causing this test (which expected a sanitization error to be thrown) to fail.
… elements Dynamic bindings to `href` and `xlink:href` attributes on SVG `<a>` elements (`<svg:a>`) were previously unmapped in the DOM security schema. As a result, they bypassed sanitization completely, creating a potential XSS vulnerability if bound to untrusted user inputs (e.g., `javascript:` URLs). This fix mitigates this risk by: 1. Registering `href` and `xlink:href` on `<svg:a>` elements under the `SecurityContext.URL` context in both the compiler and core DOM security schemas. 2. Enabling template compilation to output runtime URL sanitization checks (`ɵɵsanitizeUrl`) on these attributes. 3. Adding regression and verification test cases to ensure dynamic SVG link bindings are safely sanitized at runtime while static values are correctly allowed.
…ntSchemaRegistry Custom XML/XHTML namespaced elements (e.g., <xhtml:a>) fall back to the standard HTML namespace during element creation at compile-time/runtime. However, their property and security context lookups inside the schema registry were incorrectly performed using the full namespaced tag name (e.g., :xhtml:a), which bypassed the default a|href sanitization registry and incorrectly returned SecurityContext.NONE instead of SecurityContext.URL. This commit introduces tag name normalization inside DomElementSchemaRegistry for custom namespaces (other than the built-in svg and math namespaces). Custom namespaced tag names are now normalized to their simple HTML element counterparts for all registry queries, ensuring that correct property schema validation and dynamic security sanitization rules (such as URL sanitization) are enforced at runtime.
…text lookup Normalize namespaced tag names (e.g., :xhtml:a to a) inside i18nResolveSanitizer before looking up their security context. This ensures custom namespaced tag attributes undergo correct translation sanitization at runtime.
…ity context lookup
Synchronizes the core's copy of the DOM security schema with the compiler-side schema definitions, and removes the write_source_file target.
Resolves missing definitions and JIT compiler errors in sanitization.ts.
Removes the unused import of extractSchema in dom_element_schema_registry_spec.ts.
Updates spec files to replace modern Eager change detection and remove obsolete ins[cite] expectations.
Removes the obsolete blockquote[cite] sanitization expectations in host_binding_spec.ts.
To enhance application security and prevent accidental or malicious script execution, this change ensures that dynamically mounting a component via createComponent directly onto a <script> element throws a runtime error in development mode. SVG <script> elements are also rejected. The error message is designed to be fully tree-shakable under production builds where ngDevMode is disabled.
3133ec5 to
117b0eb
Compare
Synchronizes the golden symbols for router bundling and updates the host bindings sanitization integration test to use a[href] instead of blockquote[cite].
5ad8cc1 to
bcd8add
Compare
… DOM schema Removes the legacy profile property/attribute from the directives hostBindings specs to align with modern DOM security schema changes. Also cleans up minor redundant formatting lines in the compiler and core targets.
bcd8add to
7c5837f
Compare
AndrewKushnir
approved these changes
May 27, 2026
Contributor
Author
|
caretaker note please ignore mergability check |
Member
|
This PR was merged into the repository. The changes were merged into the following branches:
|
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
…hema contexts (#68926) Refactors the element security schema lookups and runtime attribute validation to consistently account for SVG and MathML namespaces. This improves the modularity and accuracy of security context mapping during template compilation and runtime constant evaluation, eliminating redundant or false-positive lifecycle checks. PR Close #68926
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
…time i18n attribute validation (#68926) Updates `DomElementSchemaRegistry` to strip `:svg:` and `:math:` namespace prefixes from tag names before querying `SECURITY_SCHEMA` at compile-time. This allows SVG and MathML attributes to correctly match their security contexts during compilation. PR Close #68926
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
…ompilation (#68926) Ensures that namespaced <script> elements (such as :svg:script) are correctly classified as PreparsedElementType.SCRIPT by the template preparser and stripped during compilation to prevent potential XSS vulnerabilities. Consequently, obsolete security schema mappings and runtime sanitization checks for <script> attributes have been removed since these elements are never present in compiled template outputs. PR Close #68926
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
…68926) Removes the `should throw error on translated SVG script ResourceURL attributes` integration test from `security_integration_spec.ts`. This test is now obsolete because SVG `<script>` elements are stripped during template compilation (implemented in 90494cd). As a result, they are no longer present in the compiled template to trigger runtime sanitization, causing this test (which expected a sanitization error to be thrown) to fail. PR Close #68926
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
… elements (#68926) Dynamic bindings to `href` and `xlink:href` attributes on SVG `<a>` elements (`<svg:a>`) were previously unmapped in the DOM security schema. As a result, they bypassed sanitization completely, creating a potential XSS vulnerability if bound to untrusted user inputs (e.g., `javascript:` URLs). This fix mitigates this risk by: 1. Registering `href` and `xlink:href` on `<svg:a>` elements under the `SecurityContext.URL` context in both the compiler and core DOM security schemas. 2. Enabling template compilation to output runtime URL sanitization checks (`ɵɵsanitizeUrl`) on these attributes. 3. Adding regression and verification test cases to ensure dynamic SVG link bindings are safely sanitized at runtime while static values are correctly allowed. PR Close #68926
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
…ntSchemaRegistry (#68926) Custom XML/XHTML namespaced elements (e.g., <xhtml:a>) fall back to the standard HTML namespace during element creation at compile-time/runtime. However, their property and security context lookups inside the schema registry were incorrectly performed using the full namespaced tag name (e.g., :xhtml:a), which bypassed the default a|href sanitization registry and incorrectly returned SecurityContext.NONE instead of SecurityContext.URL. This commit introduces tag name normalization inside DomElementSchemaRegistry for custom namespaces (other than the built-in svg and math namespaces). Custom namespaced tag names are now normalized to their simple HTML element counterparts for all registry queries, ensuring that correct property schema validation and dynamic security sanitization rules (such as URL sanitization) are enforced at runtime. PR Close #68926
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
Synchronizes the core's copy of the DOM security schema with the compiler-side schema definitions, and removes the write_source_file target. PR Close #68926
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
Resolves missing definitions and JIT compiler errors in sanitization.ts. PR Close #68926
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
Removes the unused import of extractSchema in dom_element_schema_registry_spec.ts. PR Close #68926
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
Removes the obsolete blockquote[cite] sanitization expectations in host_binding_spec.ts. PR Close #68926
alxhub
pushed a commit
that referenced
this pull request
May 27, 2026
To enhance application security and prevent accidental or malicious script execution, this change ensures that dynamically mounting a component via createComponent directly onto a <script> element throws a runtime error in development mode. SVG <script> elements are also rejected. The error message is designed to be fully tree-shakable under production builds where ngDevMode is disabled. PR Close #68926
|
This pull request has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.