Commit Graph

211 Commits

Author SHA1 Message Date
George Kalpakas a8bef95127 fix($interval): throw when trying to cancel non-$interval promise
Previously, calling `$interval.cancel()` with a promise that was not
generated by a call to `$interval()` would do nothing. This could, for
example, happen when calling `.then()`/`.catch()` on the returned
promise, which creates a new promise, and passing that to
`$interval.cancel()`.
With this commit, `$interval.cancel()` will throw an error if called
with a non-$interval promise, thus surfacing errors that would otherwise
go unnoticed.

Related to #16424.

BREAKING CHNAGE:

`$interval.cancel()` will throw an error if called with a promise that
was not generated by `$interval()`. Previously, it would silently do
nothing.

Before:
```js
var promise = $interval(doSomething, 1000, 5).then(doSomethingElse);
$interval.cancel(promise);  // No error; interval NOT canceled.
```

After:
```js
var promise = $interval(doSomething, 1000, 5).then(doSomethingElse);
$interval.cancel(promise);  // Throws error.
```

Correct usage:
```js
var promise = $interval(doSomething, 1000, 5);
var newPromise = promise.then(doSomethingElse);
$interval.cancel(promise);  // Interval canceled.
```

Closes #16476
2018-03-13 21:20:10 +02:00
George Kalpakas 3365256502 fix($timeout): throw when trying to cancel non-$timeout promise
Previously, calling `$timeout.cancel()` with a promise that was not
generated by a call to `$timeout()` would do nothing. This could, for
example, happen when calling `.then()`/`.catch()` on the returned
promise, which creates a new promise, and passing that to
`$timeout.cancel()`.
With this commit, `$timeout.cancel()` will throw an error if called with
a non-$timeout promise, thus surfacing errors that would otherwise go
unnoticed.

Fixes #16424

BREAKING CHNAGE:

`$timeout.cancel()` will throw an error if called with a promise that
was not generated by `$timeout()`. Previously, it would silently do
nothing.

Before:
```js
var promise = $timeout(doSomething, 1000).then(doSomethingElse);
$timeout.cancel(promise);  // No error; timeout NOT canceled.
```

After:
```js
var promise = $timeout(doSomething, 1000).then(doSomethingElse);
$timeout.cancel(promise);  // Throws error.
```

Correct usage:
```js
var promise = $timeout(doSomething, 1000);
var newPromise = promise.then(doSomethingElse);
$timeout.cancel(promise);  // Timeout canceled.
```
2018-03-13 21:19:45 +02:00
Pete Bacon Darwin 8b399545a5 docs($route): fix typo in error message 2018-02-20 14:04:25 +01:00
Pete Bacon Darwin c617d6dcee fix($templateRequest): give tpload error the correct namespace
BREAKING CHANGE

Previously the `tpload` error was namespaced to `$compile`. If you have
code that matches errors of the form `[$compile:tpload]` it will no
longer run. You should change the code to match
`[$templateRequest:tpload]`.
2018-02-20 10:25:33 +00:00
Pete Bacon Darwin 56b6ba8e0b docs($route): add missing error document 2018-02-19 19:37:26 +00:00
Pete Bacon Darwin f1c164c92f docs($parse): add missing error documents 2018-02-19 19:31:43 +00:00
Pete Bacon Darwin 1e9eadcd72 feat($sce): handle URL sanitization through the $sce service
Thanks to @rjamet for the original work on this feature.

This is a large patch to handle URLs with the $sce service, similarly to HTML context.

Where we previously sanitized URL attributes when setting attribute value inside the
`$compile` service, we now only apply an `$sce` context requirement and leave the
`$interpolate` service to deal with sanitization.

This commit introduces a new `$sce` context called `MEDIA_URL`, which represents
a URL used as a source for a media element that is not expected to execute code, such as
image, video, audio, etc.
The context hierarchy is setup so that a value trusted as `URL` is also trusted in the
`MEDIA_URL` context, in the same way that the a value trusted as `RESOURCE_URL` is also
trusted in the `URL` context (and transitively also the `MEDIA_URL` context).

The `$sce` service will now automatically attempt to sanitize non-trusted values that
require the `URL` or `MEDIA_URL` context:

* When calling `getTrustedMediaUrl()` a value that is not already a trusted `MEDIA_URL`
will be sanitized using the `imgSrcSanitizationWhitelist`.
* When calling `getTrustedUrl()` a value that is not already a trusted `URL` will be
sanitized using the `aHrefSanitizationWhitelist`.

This results in behaviour that closely matches the previous sanitization behaviour.

To keep rough compatibility with existing apps, we need to allow concatenation of values
that may contain trusted contexts. The following approach is taken for situations that
require a `URL` or `MEDIA_URL` secure context:

* A single trusted value is trusted, e.g. `"{{trustedUrl}}"` and will not be sanitized.
* A single non-trusted value, e.g. `"{{ 'javascript:foo' }}"`, will be handled by
  `getTrustedMediaUrl` or `getTrustedUrl)` and sanitized.
* Any concatenation of values (which may or may not be trusted) results in a
  non-trusted type that will be handled by `getTrustedMediaUrl` or `getTrustedUrl` once the
  concatenation is complete.
  E.g. `"javascript:{{safeType}}"` is a concatenation of a non-trusted and a trusted value,
  which will be sanitized as a whole after unwrapping the `safeType` value.
* An interpolation containing no expressions will still be handled by `getTrustedMediaUrl` or
  `getTrustedUrl`, whereas before this would have been short-circuited in the `$interpolate`
  service. E.g. `"some/hard/coded/url"`. This ensures that `ngHref` and similar directives
  still securely, even if the URL is hard-coded into a template or index.html (perhaps by
  server-side rendering).

BREAKING CHANGES:

If you use `attrs.$set` for URL attributes (a[href] and img[src]) there will no
longer be any automated sanitization of the value. This is in line with other
programmatic operations, such as writing to the innerHTML of an element.

If you are programmatically writing URL values to attributes from untrusted
input then you must sanitize it yourself. You could write your own sanitizer or copy
the private `$$sanitizeUri` service.

Note that values that have been passed through the `$interpolate` service within the
`URL` or `MEDIA_URL` will have already been sanitized, so you would not need to sanitize
these values again.
2018-01-31 13:12:29 +00:00
Jason Bedard e5fb92978f revert: fix($rootScope): fix potential memory leak when removing scope listeners
This reverts commit 817ac56719.
2017-12-13 11:45:31 +01:00
Jason Bedard 817ac56719 fix($rootScope): fix potential memory leak when removing scope listeners
Previously the array entry for listeners was set to null but the array size was
not trimmed until the event was broadcasted again (see e6966e05f5).

By keeping track of the listener iteration index globally it can be adjusted if
a listener removal effects the index.

Fixes #16135
Closes #16293

BREAKING CHANGE:

Recursively invoking `$emit` or `$broadcast` with the same event name is
no longer supported. This will now throw a `inevt` minErr.
2017-10-31 21:36:58 -07:00
Martin Staffa 0864f73458 docs($compileProvider): improve strictComponentBindingsEnabled info
Related to #16303 
Closes #16306
2017-10-30 11:23:44 +01:00
Zita Nemeckova f1d01bbc74 feat($compile): add strictComponentBindingsEnabled() method
Closes #16129
2017-07-28 12:51:38 +03:00
Martin Staffa e65928eecb docs($compile): add more info about optional bindings
This centralizes the info about optional bindings.
Also adds more examples to the $compile:iscp error.

Closes #15989
Closes #16025
2017-06-05 20:23:12 +02:00
Jake Danforth e79c472fdd docs(error/badrestrict): fix typo (of --> or)
Closes #15979
2017-05-11 11:34:36 +03:00
David Fuka 8a89586bed docs(errors/badjsonp): fix typo
Closes #15977
2017-05-10 13:26:49 +02:00
Martin Staffa e23782b8c2 docs($http): correct and clarify default transforms
- baddata error described incorrect http behavior, and workarounds
- httpProvider defaults were missing transformResponse / transformRequest
- http was not clear about JSON detection strategy

Closes #15897 
Closes #15906
2017-04-12 11:21:10 +02:00
Martin Staffa 32f38a33b6 docs($animate): remove obsolete error doc 2017-03-24 10:44:51 +01:00
Joshua J Wilborn 5377baf0fc docs ($compile): add error documentation for noslot error in $compile
Fixes #15790
Closes  #15828
2017-03-22 11:51:55 +01:00
Chirag Bhatia c80fa1cfe1 fix($http): throw more informative error on invalid JSON response
Fixes #15695

Closes #15724
2017-03-14 14:47:39 +02:00
Peter Bacon Darwin 49aba51e6b feat(Module): add info() method
The new `info()` method lets developers store arbitrary information about
their module for consumption later.

Closes #15225
2017-03-02 08:22:08 +00:00
Georgios Kalpakas 4f69d38f09 fix($sanitize): prevent clobbered elements from freezing the browser
Closes #15699
2017-02-24 16:38:16 +00:00
Georgios Kalpakas 9a2efb7b66 fix($animate): improve detection on ng-animate in classNameFilter RegExp
Fixes #14806
2017-02-17 11:26:21 +02:00
Martin Staffa 07f34e7af3 docs: fix some dangling links
They broke during the Angular -> AngularJS rename
2017-02-06 16:42:49 +01:00
Peter Bacon Darwin 03043839d5 docs(*): ensure naming is correct for Angular(JS) versions 2017-01-25 08:18:39 +00:00
Georgios Kalpakas b343e7a560 docs(error/ng:areq): fix typo 2016-11-21 12:55:11 +02:00
Karthikeyan 5ff5815f51 docs(error/ng:areq): mention common error cause
Closes #15414
2016-11-21 12:51:00 +02:00
Peter Bacon Darwin 4aa9534b0f fix($location): throw if the path starts with double (back)slashes
Previously `$location` was rewriting such paths to remove not only the
double slashes but also the first segment of the path, leading to an invalid
path.

In this change, we deem leading double (back)slashes an invalid path and
now throw a `$location:badpath` error if that occurs.

Closes #15365
2016-11-09 10:28:40 +00:00
emed 21ac2c42ea docs(error/ueoe): add another possible cause
Mention unescaped quotes as another possible cause for this error.

Closes #15313
2016-10-25 23:34:34 +03:00
Georgios Kalpakas b54a39e202 feat($http): remove deprecated callback methods: success()/error()
Closes #15157

BREAKING CHANGE:

`$http`'s deprecated custom callback methods - `success()` and `error()` - have been removed.
You can use the standard `then()`/`catch()` promise methods instead, but note that the method
signatures and return values are different.

`success(fn)` can be replaced with `then(fn)`, and `error(fn)` can be replaced with either
`then(null, fn)` or `catch(fn)`.

Before:

```js
$http(...).
  success(function onSuccess(data, status, headers, config) {
    // Handle success
    ...
  }).
  error(function onError(data, status, headers, config) {
    // Handle error
    ...
  });
```

After:

```js
$http(...).
  then(function onSuccess(response) {
    // Handle success
    var data = response.data;
    var status = response.status;
    var statusText = response.statusText;
    var headers = response.headers;
    var config = response.config;
    ...
  }, function onError(response) {
    // Handle error
    var data = response.data;
    var status = response.status;
    var statusText = response.statusText;
    var headers = response.headers;
    var config = response.config;
    ...
  });

// or

$http(...).
  then(function onSuccess(response) {
    // Handle success
    var data = response.data;
    var status = response.status;
    var statusText = response.statusText;
    var headers = response.headers;
    var config = response.config;
    ...
  }).
  catch(function onError(response) {
    // Handle error
    var data = response.data;
    var status = response.status;
    var statusText = response.statusText;
    var headers = response.headers;
    var config = response.config;
    ...
  });
```

**Note:**
There is a subtle difference between the variations showed above. When using
`$http(...).success(onSuccess).error(onError)` or `$http(...).then(onSuccess, onError)`, the
`onError()` callback will only handle errors/rejections produced by the `$http()` call. If the
`onSuccess()` callback produces an error/rejection, it won't be handled by `onError()` and might go
unnoticed. In contrast, when using `$http(...).then(onSuccess).catch(onError)`, `onError()` will
handle errors/rejections produced by both `$http()` _and_ `onSuccess()`.
2016-10-05 19:02:39 +03:00
Peter Bacon Darwin fb66341871 feat($http): JSONP callback must be specified by jsonpCallbackParam config
The query parameter that will be used to transmit the JSONP callback to the
server is now specified via the `jsonpCallbackParam` config value, instead of
using the `JSON_CALLBACK` placeholder.

* Any use of `JSON_CALLBACK` in a JSONP request URL will cause an error.
* Any request that provides a parameter with the same name as that given
by the `jsonpCallbackParam` config property will cause an error.

This is to prevent malicious attack via the response from an app inadvertently
allowing untrusted data to be used to generate the callback parameter.

Closes #15161
Closes #15143
Closes #11352
Closes #11328

BREAKING CHANGE

You can no longer use the `JSON_CALLBACK` placeholder in your JSONP requests.
Instead you must provide the name of the query parameter that will pass the
callback via the `jsonpCallbackParam` property of the config object, or app-wide via
the `$http.defaults.jsonpCallbackParam` property, which is `"callback"` by default.

Before this change:

```
$http.json('trusted/url?callback=JSON_CALLBACK');
$http.json('other/trusted/url', {params:cb:'JSON_CALLBACK'});
```

After this change:

```
$http.json('trusted/url');
$http.json('other/trusted/url', {callbackParam:'cb'});
```
2016-10-05 14:39:50 +01:00
Peter Bacon Darwin 6476af83cd feat($http): JSONP requests now require a trusted resource URL
The $http service will reject JSONP requests that are not trusted by
`$sce` as "ResourceUrl".
This change makes is easier for developers to see clearly where in their
code they are making JSONP calls that may be to untrusted endpoings and
forces them to think about how these URLs are generated.

Be aware that this commit does not put any constraint on the parameters
that will be appended to the URL. Developers should be mindful of what
parameters can be attached and how they are generated.

Closes #11352

BREAKING CHANGE

All JSONP requests now require the URL to be trusted as resource URLs.
There are two approaches to trust a URL:

**Whitelisting with the `$sceDelegateProvider.resourceUrlWhitelist()`
method.**

You configure this list in a module configuration block:

```
appModule.config(['$sceDelegateProvider', function($sceDelegateProvider) {
  $sceDelegateProvider.resourceUrlWhiteList([
    // Allow same origin resource loads.
    'self',
    // Allow JSONP calls that match this pattern
    'https://some.dataserver.com/**.jsonp?**`
  ]);
}]);
```

**Explicitly trusting the URL via the `$sce.trustAsResourceUrl(url)`
method**

You can pass a trusted object instead of a string as a URL to the `$http`
service:

```
var promise = $http.jsonp($sce.trustAsResourceUrl(url));
```
2016-10-05 14:19:55 +01:00
thorn0 16dccea887 fix($compile): bindToController should work without controllerAs
Fixes #15088

Closes #15110
2016-09-16 19:10:12 +03:00
Peter Bacon Darwin 1547c751aa refactor($parse): remove Angular expression sandbox
The angular expression parser (`$parse`) attempts to sandbox expressions
to prevent unrestricted access to the global context.

While the sandbox was not on the frontline of the security defense,
developers kept relying upon it as a security feature even though it was
always possible to access arbitrary JavaScript code if a malicious user
could control the content of Angular templates in applications.

This commit removes this sandbox, which has the following benefits:

* it sends a clear message to developers that they should not rely on
the sandbox to prevent XSS attacks; that they must prevent control of
expression and templates instead.
* it allows performance and size improvements in the core Angular 1
library.
* it simplifies maintenance and provides opportunities to make the
parser more capable.

Please see the [Sandbox Removal Blog Post](http://angularjs.blogspot.com/2016/09/angular-16-expression-sandbox-removal.html)
for more detail on what you should do to ensure that your application is
secure.

Closes #15094
2016-09-15 11:18:26 +01:00
Martin Staffa de1ede7f44 docs(error/noident): add missing comma
Closes #15086
2016-09-05 22:57:59 +02:00
Jason Bedard 11f2731f72 perf($compile): validate directive.restrict property on directive init
This allows the removal of try/catch from addDirective to avoid V8 deopt.

Previously the directive.restrict property was not validated. This would
potentially cause exceptions on each compilation of the directive
requiring a try/catch and potentially causing repeated errors.

New validation when directive.restrict is specified:
* must be a string
* must contain at least one valid character (E, A, C, M)

Cases which previously silently failed (now throw an error):
* values with an indexOf method (such as strings, arrays) which returned
 returned -1 for all valid restrict characters

Cases which previously worked unintentionally (now throw an error):
* arrays with single-character strings of valid restrict characters

PR (#13263)
2016-08-30 22:48:46 +02:00
Jason Bedard 1e1fbc75f5 fix($compile): disallow linking the same element more then once
Previously the following would invoke the element link function multiple
times, causing unknown and potentially buggy results:

    var link = $compile(html);
    link(scope);
    link(scope);

This was always unsupported. Now this throws a multilink error.

PR (#13422)
2016-08-30 22:45:32 +02:00
Martin Staffa eacfe4148e feat($controller): throw when requested controller is not registered
Previously, it would throw the ng:areq error, which is less
specific and just informs that the requested controller is not defined. 
Given how commonly controllers are used
in Angular, it makes sense to have a specific error.

The ng:areq error is still thrown when the registered controller
is not a function.

Closes #14980
PR (#15015)
2016-08-12 19:12:12 +02:00
Kevin Visscher 3393aac049 docs(error/reqslot): fix typo
Closes #15003
2016-08-08 14:31:41 +03:00
Michał Gołębiowski c3220325a0 chore(*): switch from JSHint/JSCS to ESLint
Thanks to @narretz for help in fixing style violations and to @gkalpak
for a very extensive review.

Closes #14952
2016-08-05 22:18:32 +02:00
Martin Staffa 9130166767 feat(input): add support for binding to input[type=range] (#14870)
Thanks to @cironunes for the initial implementation in https://github.com/angular/angular.js/pull/9715

Adds support for binding to input[range] with the following behavior / features:

- Like input[number], it requires the model to be a Number, and will set the model to a Number
- it supports setting the min/max values via the min/max and ngMin/ngMax attributes
- it follows the browser behavior of never allowing an invalid value. That means, when the browser
converts an invalid value (empty: null, undefined, false ..., out of bounds: greater than max, less than min)
to a valid value, the input will in turn set the model to this new valid value via $setViewValue.
-- this means a range input will never be required and never have a non-Number model value, once the
ngModel directive is initialized.
-- this behavior is supported when the model changes and when the min/max attributes change in a way
that prompts the browser to update the input value.
-- ngMin / ngMax do not prompt the browser to update the values, as they don't set the attribute values.
Instead, they will set the min / max errors when appropriate
- browsers that do not support input[range] (IE9) handle the input like a number input (with validation etc.)

Closes #5892
Closes #9715
Close #14870
2016-07-29 14:29:09 +02:00
Peter Bacon Darwin 13b7bf0bb5 docs(examples): give all examples a name
Closes #14958
2016-07-28 10:58:58 +01:00
Georgios Kalpakas c0795c97a5 docs(ngModel/numfmt): remove redundant argument 2016-07-27 12:04:03 +03:00
Georgios Kalpakas 4fa214ce32 fix($parse): block assigning to fields of a constructor prototype
This commit also adds the missing `isecaf` error page and more tests for assignment to constructors.

Fixes #14939

Closes #14951
2016-07-27 10:58:02 +03:00
Xavier Haniquaut c5cdadb601 docs(error/$compile): add reqslot error description
Explains what could generate a `reqslot` error.

Closes #14618
2016-05-23 14:20:44 +01:00
Peter Bacon Darwin 874c0fdcdd feat($compile): add more lifecycle hooks to directive controllers
This change adds in the following new lifecycle hooks, which map in some
way to those in Angular 2:

 * `$onChanges(changesObj)` - Called whenever one-way bindings are updated. The `changesObj` is a hash whose keys
   are the names of the bound properties that have changed, and the values are an object of the form
   `{ currentValue: ..., previousValue: ... }`. Use this hook to trigger updates within a component such as
   cloning the bound value to prevent accidental mutation of the outer value.
 * `$onDestroy` - Called on a controller when its containing scope is destroyed. Use this hook for releasing
   external resources, watches and event handlers.
 * `$postLink` - Called after this controller's element and its children been linked. Similar to the post-link
   function this hook can be used to set up DOM event handlers and do direct DOM manipulation.
   Note that child elements that contain `templateUrl` directives will not have been compiled and linked since
   they are waiting for their template to load asynchronously and their own compilation and linking has been
   suspended until that occurs.

Closes #14127
Closes #14030
Closes #14020
Closes #13991
Closes #14302
2016-03-25 12:54:50 +00:00
pmadruga f01d6f2788 docs(error/$compile.baddir): mention "components" in directive name error
Closes #14212
2016-03-23 21:57:28 +02:00
Huc Arnaud 038eabe8db docs(error/tplrt): add missing ' in example code
Missing a ' @ line 46 class='wrapper'

Closes #14258
2016-03-18 15:40:54 +01:00
Remy Sharp ece8266b01 docs(error/$location:nobase): fix <base> not showing up in heading
Closes #14016
2016-02-13 20:14:42 +02:00
Martin Sikora 7b592f9edd docs(error/$compile:tplrt): fix typo
Closes #13992
2016-02-10 11:03:05 +02:00
Martin Staffa c4e47e491f docs(error/iscp): include one-way bindings, mark spaces as allowed 2016-02-05 16:12:00 +01:00
Smith 34ba294f76 docs(error/$rootScope:inprog): fix typos ("a $apply" --> "an $apply")
Closes #13896
2016-01-31 10:32:10 +02:00