Commit Graph

3211 Commits

Author SHA1 Message Date
Joey Perrott 3dd42cea68 refactor(misc): remove usages of whitelist and blacklist
Remove miscellaneous usages and references to usages of whitelist and blacklist
throughout the repository.
2020-09-30 18:46:45 +01:00
Joey Perrott 767381020d refactor(SanitizeUriProvider): remove usages of whitelist
Changes aHrefSanitizationWhitelist to aHrefSanitizationTrustedUri and imgSrcSanitizationWhitelist
to imgSrcSanitizationTrustedUri updating references to use the new symbols.

For the purposes of backward compatibility, the previous symbols are aliased to
the new symbols.
2020-09-30 18:46:45 +01:00
Joey Perrott c953af6b8c refactor(httpProvider): remove usages of whitelist and blacklist
Changes xsrfWhitelistedOrigins to xsrfTrustedOrigins updating references to use
this new symbol.

For the purposes of backward compatibility, the previous symbol is aliased to
the new symbol.
2020-09-30 18:46:45 +01:00
Joey Perrott a206e2675c refactor(sceDelegateProvider): remove usages of whitelist and blacklist
Changes resourceUrlWhitelist to trustedResourceUrlList and resourceUrlBlacklist
to bannedResourceUrlList, updating references to use this new symbol.

For the purposes of backward compatibility, the previous symbols are aliased to
their new symbol.
2020-09-30 18:46:45 +01:00
Michał Gołębiowski-Owczarek 2df43c0777 fix(jqLite): prevent possible XSS due to regex-based HTML replacement
This also splits the wrapping logic to one for modern browsers & one for IE 9
as IE 9 has restrictions that make it impossible to make it as secure.
2020-05-26 18:58:01 +02:00
Krzysztof Kotowicz 2518966153 fix(grunt-utils): insert the core CSS styles without using innerHTML
Create style elements and modify their text content instead of using
innerHTML to create the whole `<style>` element with its content.
That way style insertion done at bootstrap time doesn't interfere with
Trusted Types restrictions in Chrome (https://bit.ly/trusted-types).

Remove the type attribute - `text/css` is default:
https://html.spec.whatwg.org/#update-a-style-block.

Closes #17014
2020-05-25 11:17:53 +03:00
Pete Bacon Darwin 974700af7c test(*): fix up some tests for Firefox 2020-05-22 18:09:15 +01:00
Pete Bacon Darwin c4b79d59b4 chore(*): update protractor to latest version 2020-05-22 18:09:07 +01:00
comet 2b28c540ad docs(*): fix spelling errors
Closes #16942
2020-02-02 11:28:55 +02:00
Pete Bacon Darwin add78e6200 fix(angular.merge): do not merge __proto__ property
By blocking `__proto__` on deep merging, this commit
prevents the `Object` prototype from being polluted.
2019-11-07 15:39:21 +00:00
George Kalpakas 10d1b19737 fix(ngStyle): correctly remove old style when new style value is invalid
Since d6098eeb1, old styles were not removed if `newStyles` specified an
invalid value for the style (e.g. `false`). The assumption was that the
new style would overwrite the old style value, but using an invalid
value made browsers ignore the new value and thus keep the old style.
This would typically happen when guarding a style with a boolean flag;
e.g.: `ng-style="{backgroundColor: isError && 'red'}"`

This commit essentially revers commit d6098eeb1, whose main purpose was
to work around jquery/jquery#4185. The jQuery issue has been fixed in
3.4.0, so that should not be a problem any more.

Fixes #16860

Closes #16868
2019-05-09 21:24:02 +03:00
Martin Staffa 6959bc297f fix(required): correctly validate required on non-input element surrounded by ngIf
Closes #16830
Closes #16836
2019-03-06 18:08:05 +01:00
Martin Staffa 005dd97255 fix(ngRequired): set error correctly when inside ngRepeat and false by default
Previously, in the required validator, we would read the required setting directly
from attr.required, where it is set by ngRequired.

However, when the control is inside ngRepeat, ngRequired sets it only after a another digest has
passed, which means the initial validation run of ngModel does not include the correct required
setting. (Before commit 0637a2124c this would not have been a problem,
as every observed value change triggered a validation).

We now use the initially parsed value from ngRequired in the validator.

Fixes #16814
Closes #16820
2019-01-26 11:31:25 +01:00
Jason Bedard 8b973e04ca fix($compile): fix ng-prop-* with undefined values
Fixes #16797
Closes #16798
2019-01-10 18:37:21 -08:00
George Kalpakas 915939396a test(ngHref): only run Edge-specific test on relevant Edge versions 2019-01-10 21:38:41 +02:00
Pete Bacon Darwin 9ae51d751b test(ngAnimate): ensure that blockTransitions can be spied upon
Previously the test was assuing that this function was attached to
the window, which is not the case in production, nor in the isolated
module tests.
2018-12-11 15:40:15 +00:00
Pete Bacon Darwin 04ae4e5b47 test(*): isolate cache leaks from subsequent tests 2018-12-10 16:57:20 +00:00
Michał Gołębiowski-Owczarek e7e8dad3b3 test(ngSanitize): disable a failing Edge test in all versions, including 18
It's been only disabled on Edge 16/17 so far which made it fail in Edge 18.

Closes #16786
2018-12-09 03:23:09 +01:00
Michał Gołębiowski-Owczarek 09f013ae92 fix(compile): properly handle false value for boolean attrs with jQuery
jQuery skips special boolean attrs treatment in XML nodes for historical reasons
and hence AngularJS cannot freely call `.attr(attrName, false) with such
attributes. To avoid issues in XHTML, call `removeAttr` in such cases instead.

Ref jquery/jquery#4249
Fixes #16778
Closes #16779
2018-12-06 10:07:55 +01:00
Jason Bedard 3ea8c2b880 fix(ngRepeat): fix trackBy function being invoked with incorrect scope
Also fixes a leak of that scope across all further instances of the
repeated element.

Fixes #16776
Closes #16777
2018-12-05 19:40:01 -08:00
Martin Staffa 0637a2124c perf(input): prevent multiple validations on initialization
This commit updates in-built validators with observers to prevent
multiple calls to $validate that could happen on initial linking of the directives in
certain circumstances:

- when an input is wrapped in a transclude: element directive (e.g. ngRepeat),
the order of execution between ngModel and the input / validation directives changes so that
the initial observer call happens when ngModel has already been initalized,
leading to another call to $validate, which calls *all* defined validators again.
Without ngRepeat, ngModel hasn't been initialized yet, and $validate does not call the validators.

When using validators with scope expressions, the expression value is not available when
ngModel first runs the validators (e.g. ngMinlength="myMinlength"). Only in the first call to
the observer does the value become available, making a call to $validate a necessity.

This commit solves the first problem by storing the validation attribute value so we can compare
the current value and the observed value - which will be the same after compilation.

The second problem is solved by parsing the validation expression once in the link function,
so the value is available when ngModel first validates.

Closes #14691 
Closes #16760
2018-12-05 14:06:43 +01:00
Eirik Blakstad 0cdff42737 fix(aria/ngClick): check if element is contenteditable before blocking spacebar
`ngAria`'s `ngClick` blocks spacebar keypresses on non-blacklisted
elements, which is an issue when the element is `contenteditable`.

Closes #16762
2018-12-02 13:15:39 +02:00
Jason Bedard 4a3ae43407 fix($browser): normalize inputted URLs
Calls to `$browser.url` now normalize the inputted URL ensuring multiple
calls only differing in formatting do not force a browser `pushState`.

Normalization is done the same as the browser location URL and may
differ per browser and may be changed by browsers. Today no browsers
fully normalize URLs so this does not fix all instances of this issue.

See #16100
Closes #16606
2018-11-21 15:08:42 -08:00
Jason Bedard dc90cbf6db test($browser): update MockWindow to normalize URLs similar to real window.location 2018-11-21 15:08:42 -08:00
Pete Bacon Darwin 622d32e805 fix(interpolate): do not create directives for constant media URL attributes
By creating attribute directives that watch the value of
media url attributes (e.g. `img[src]`) we caused a conflict
when both `src` and `data-src` were appearing on the
same element. As each directive was trying to write to the
attributes on the element, where AngularJS treats `src` and
`data-src` as synonymous.

This commit ensures that we do not create create such directives
when the media url attribute is a constant (no interpolation).

Because of this (and because we no longer sanitize URLs in the
`$attr.$set()` method, this commit also updates `ngHref` and
`ngSrc` to do a preliminary sanitization of URLs in case there
is no interpolation in the attribute value.

Fixes #16734
2018-11-20 14:10:03 +00:00
Alejandro López 318e6ceea3 test(e2e): replace the deprecated browser.getLocationAbsUrl() with browser.getCurrentUrl()
According to angular/protractor#3969, `browser.getLocationAbsUrl()` is
now deprecated and `browser.getCurrentUrl()` should be used instead.

Closes #16053
2018-11-15 17:13:18 +02:00
George Kalpakas 736e299ef3 test(ngOn*): add tests for binding to camelCased event names
Closes #16757
2018-11-12 13:15:57 +02:00
George Kalpakas 06d154f91c test($compile): fix incorrect markup in tests 2018-11-12 13:15:51 +02:00
Jason Bedard 6e3bbfc744 fix(input): prevent browsers from autofilling hidden inputs
Autofilling with previous values (which will then be `$interpolate`ed) could lead to XSS or errors
2018-10-31 11:19:54 -07:00
Michał Gołębiowski-Owczarek b4e409bf6c fix(urlUtils): make IPv6 URL's hostname wrapped in square brackets in IE/Edge
IE 9-11 and Edge 16-17 (fixed in 18 Preview) incorrectly don't wrap IPv6
addresses' hostnames in square brackets when parsed out of an anchor element.

Fixes #16692
Closes #16715
2018-10-18 11:45:09 +02:00
George Kalpakas 3e380325d8 fix(ngAnimateSwap): make it compatible with ngIf on the same element
Previously, both `ngAnimateSwap` and `ngIf` had a priority of 600, which
meant that (while both are [terminal directives][1]) they were executed
on top of each other (essentially messing each other's comment node).

This commit fixes it, by giving `ngAnimateSwap` a priority of 550, which
is lower than `ngIf` but still higher than other directives.

For reference, here is a list of built-in directive per priority:

```
-400: ngInclude, ngView
  -1: ngRef
   1: ngMessage, ngMessageDefault, ngMessageExp, ngModel, select
  10: ngModelOptions
  99: ngHref, ngSrc, ngSrcset
 100: attr interpolation, ngChecked, ngDisabled, ngList, ngMax,
      ngMaxlength, ngMin, ngMinlength, ngModel (aria), ngMultiple,
      ngOpen, ngPattern, ngProp*, ngReadonly, ngRequired, ngSelected,
      ngStep, ngValue, option
 400: ngInclude, ngView
 450: ngInit
 500: ngController
 600: ngAnimateSwap, ngIf
1000: ngNonBindable, ngRepeat
1200: ngSwitchDefault, ngSwitchWhen
```

[1]: https://docs.angularjs.org/api/ng/service/$compile#-terminal-

Fixes #16616

Closes #16729
2018-10-15 23:18:59 +03:00
George Kalpakas fd28edfc50 refactor(ngAnimateSwap): remove unnecessary inject() from tests 2018-10-15 23:18:47 +03:00
Martin Staffa 393072081c test(modules): properly isolate module tests
Closes #16712
2018-10-15 15:10:10 +02:00
itchyny bb5a7e39ba fix(ngStyle): skip setting empty value when new style has the property
Previously, all the properties in oldStyles are set to empty value once.
Using AngularJS with jQuery 3.3.1, this disables the CSS transition as
reported in jquery/jquery#4185.

Closes #16709
2018-10-04 16:46:41 +02:00
George Kalpakas 26ddc5f830 fix(ngClass): do not break on invalid values
Previously, when an `ngClass` expression evaluated to something that was
not a string, array or object (and was truthy), an error would be thrown
while trying to call `.split()` on a non-string value. This error was
not very helpful for the user to identify the root cause of the problem.

This commit fixes it by ensuring such values are converted to string.

Fixes #16697

Closes #16699
2018-09-20 12:02:19 +03:00
Martin Staffa 8082d5eae0 fix(ngAria.ngClick): preventDefault on space/enter only on non-interactive elements
Fixes #16664
Closes #16680
2018-09-06 15:53:33 +02:00
Martin Staffa 44cc823092 fix(ngAnimate): remove prepare classes with multiple structural animations
Closes #16681
Closes #16677
2018-09-06 09:47:12 +02:00
George Kalpakas 506fe73a4a test(ngMocks): use correct method name in $httpBackend test 2018-08-25 23:38:41 +03:00
Susisu 510404e5b3 fix($route): correctly extract path params if path contains question mark or hash
The `routeToRegExp()` function, introduced by 840b5f0, could not extract
path params if the path contained question mark or hash. Although these
characters would normally be encoded in the path, they are decoded by
`$location.path()`, before being passed to the RegExp returned by
`routeToRegExp()`.

`routeToRegExp()` has to be able to deal with both encoded URL and
decoded path, because it is being shared between `ngRoute` and
`ngMocks`.

This commit fixes the issue, by introducing an `isUrl` option that
allows creating an appropriate RegExp for each usecase.
2018-08-25 23:38:40 +03:00
Martin Staffa 837e519acc fix(ngHref): allow numbers and other objects in interpolation
Interpolated content in ngHref must be stringified before being passed to $$sanitizeUri by $sce. Before 1.7.x, the sanitization had happened on the already interpolated value inside $compile.

Closes #16652
Fixes #16626
2018-08-20 20:04:28 +02:00
Martin Staffa 79ca0f1e91 fix(select): allow to select first option with value undefined
Previously, the value observer incorrectly assumed a value had changed even if
it was the first time it was set, which caused it to remove an option with
the value `undefined` from the internal option map.

Fixes #16653
Closes #16656
2018-08-06 12:47:43 +02:00
Jason Bedard dedb10c0b8 feat($compile): add support for arbitrary DOM property and event bindings
Properties:

Previously only arbitrary DOM attribute bindings were supported via interpolation such as
`my-attribute="{{expression}}"` or `ng-attr-my-attribute="{{expression}}"`, and only a set of
distinct properties could be bound. `ng-prop-*` adds support for binding expressions to any DOM
properties. For example `ng-prop-foo="x"` will assign the value of the expression `x` to the
`foo` property, and re-assign whenever the expression `x` changes.

Events:

Previously only a distinct set of DOM events could be bound using directives such as `ng-click`,
`ng-blur` etc. `ng-on-*` adds support for binding expressions to any DOM event. For example
`ng-on-bar="barOccured($event)"` will add a listener to the "bar" event and invoke the
`barOccured($event)` expression.

Since HTML attributes are case-insensitive, property and event names are specified in snake_case
for `ng-prop-*` and `ng-on-*`. For example, to bind property `fooBar` use `ng-prop-foo_bar`, to
listen to event `fooBar` use `ng-on-foo_bar`.

Fixes #16428
Fixes #16235
Closes #16614
2018-08-01 17:50:25 -07:00
Georgii Dolzhykov ebeb1c9491 fix(ngMock): pass failed HTTP expectations to $exceptionHandler
This was only partially fixed in f18dd2957.

Closes #16644
2018-07-31 14:35:39 +03:00
George Kalpakas 864c7f00c4 fix($location): avoid unnecessary $locationChange* events due to empty hash
Fixes #16632

Closes #16636
2018-07-30 23:36:31 +03:00
George Kalpakas 2907798ca5 test($location): add assertion 2018-07-30 23:36:12 +03:00
George Kalpakas a07191727d refactor($location): minor changes (unused deps, exported globals, unused deps, etc) 2018-07-30 23:36:12 +03:00
George Kalpakas c133ef8360 fix($animate): avoid memory leak with $animate.enabled(element, enabled)
When disabling/enabling animations on a specific element (via
`$animate.enabled(element, enabled)`), the element is added in a map to
track its state. Previously, the element was never removed from the map,
causing AngularJS to hold on to the element even after it is removed
from the DOM, thus preventing it from being garbage collected.

This commit fixes it by removing the element from the map on `$destroy`.

Fixes #16637.

Closes #16649
2018-07-27 20:46:25 +03:00
Martin Staffa aa7d45e804 fix($compile): use correct parent element when requiring on html element
Fixes #16535
Closes #16647
2018-07-27 17:10:25 +02:00
Martin Staffa a42f8a0d5b fix(ngEventDirs): pass error in handler to $exceptionHandler when event was triggered in a digest
This ensures that the error handling is the same for events triggered inside and outside a digest.
2018-07-25 12:43:14 +02:00
Mark Gardner 6b0193e4d9 fix(ngEventDirs): don't wrap the event handler in $apply if already in $digest
Digest cycle already in progress error can inadvertently be caused when triggering an
element's click event while within an active digest cycle. This is due to the ngEventsDirs
event handler always calling $rootScope.$apply regardless of the status of $rootScope.$$phase.
Checking the phase and calling the function immediately if within an active digest cycle
will prevent the problem without reducing current functionality.

Closes #14673
Closes #14674
2018-07-25 12:43:14 +02:00