[19.2.x] Cherry-pick security and bug fixes#68939
Merged
alxhub merged 3 commits intoMay 27, 2026
angular:19.2.xangular/angular:19.2.xfrom
alan-agius4:cherry-pick-to-19.2.xalan-agius4/angular:cherry-pick-to-19.2.xCopy head branch name to clipboard
Merged
[19.2.x] Cherry-pick security and bug fixes#68939alxhub merged 3 commits intoangular:19.2.xangular/angular:19.2.xfrom alan-agius4:cherry-pick-to-19.2.xalan-agius4/angular:cherry-pick-to-19.2.xCopy head branch name to clipboard
alxhub merged 3 commits into
angular:19.2.xangular/angular:19.2.xfrom
alan-agius4:cherry-pick-to-19.2.xalan-agius4/angular:cherry-pick-to-19.2.xCopy head branch name to clipboard
Conversation
3762052 to
7dab3e3
Compare
JeanMeche
approved these changes
May 27, 2026
64ead5b to
d31f841
Compare
32426f1 to
16ac73d
Compare
16ac73d to
d31f841
Compare
This reverts commit 4747fe2.
bdf155a to
aecaa96
Compare
…g tag check This ensures that when rootElement is undefined no error occures.
6061c09 to
74c4a8b
Compare
74c4a8b to
2413202
Compare
…inst SSRF and path hijack Normalizes the URL and path parsing logic inside platform-server by consolidating security checks and normalizations into a single, unified parseUrl helper function. This includes: - Collapsing multiple consecutive leading slashes and backslashes (e.g., // or /\) to a single forward slash to avoid protocol-relative parsing of path-like & relative inputs. - Rejecting malformed absolute URLs that are otherwise accepted by lenient DOM parsers like Domino but rejected by standard WHATWG parsers, preventing SSRF / allowedHosts validation bypasses. - Ensuring parseDocument gets the fully parsed and normalized URL instead of raw, unvalidated configuration values, preventing virtual document hostname adoption/origin hijack. - Moving parseUrl unit tests into a dedicated url_spec.ts test file to keep platform_location_spec.ts clean and decoupled.
Contributor
Author
|
caretaker note kindly ignore the pending mergeability tests. |
Member
|
This PR was merged into the repository. The changes were merged into the following branches:
|
|
This pull request has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR backports a batch of security and critical bug & security fixes to the
19.2.xbranch:All golden symbols files have been regenerated and verified, and all conflicts have been resolved cleanly to align with the core architectures of the
19.2.xbranch.