Commit Graph

11 Commits

Author SHA1 Message Date
Pete Bacon Darwin f1c164c92f docs($parse): add missing error documents 2018-02-19 19:31:43 +00:00
Peter Bacon Darwin 03043839d5 docs(*): ensure naming is correct for Angular(JS) versions 2017-01-25 08:18:39 +00:00
emed 21ac2c42ea docs(error/ueoe): add another possible cause
Mention unescaped quotes as another possible cause for this error.

Closes #15313
2016-10-25 23:34:34 +03:00
Peter Bacon Darwin 1547c751aa refactor($parse): remove Angular expression sandbox
The angular expression parser (`$parse`) attempts to sandbox expressions
to prevent unrestricted access to the global context.

While the sandbox was not on the frontline of the security defense,
developers kept relying upon it as a security feature even though it was
always possible to access arbitrary JavaScript code if a malicious user
could control the content of Angular templates in applications.

This commit removes this sandbox, which has the following benefits:

* it sends a clear message to developers that they should not rely on
the sandbox to prevent XSS attacks; that they must prevent control of
expression and templates instead.
* it allows performance and size improvements in the core Angular 1
library.
* it simplifies maintenance and provides opportunities to make the
parser more capable.

Please see the [Sandbox Removal Blog Post](http://angularjs.blogspot.com/2016/09/angular-16-expression-sandbox-removal.html)
for more detail on what you should do to ensure that your application is
secure.

Closes #15094
2016-09-15 11:18:26 +01:00
Georgios Kalpakas 4fa214ce32 fix($parse): block assigning to fields of a constructor prototype
This commit also adds the missing `isecaf` error page and more tests for assignment to constructors.

Fixes #14939

Closes #14951
2016-07-27 10:58:02 +03:00
Peter Bacon Darwin 05d3ed0d9b docs(error/isecwindow): add note about coffeescript issue
Closes #4853
2015-12-15 10:39:44 +00:00
Trey Hunner a54d4600b3 style: fix whitespace issues
Closes #8277
2014-07-21 14:52:41 -07:00
Igor Minar af20a8aac6 docs($parse:isecdom): add a section about return values and CoffeeScript
Closes #7973
2014-07-12 20:23:37 -07:00
rodyhaddad 77ada4c82d fix($parse): prevent invocation of Function's bind, call and apply
BREAKING CHANGE:
You can no longer invoke .bind, .call or .apply on a function in angular expressions.
This is to disallow changing the behaviour of existing functions
in an unforseen fashion.
2014-06-30 09:25:24 -07:00
rodyhaddad db713a1c1b refactor($parse): move around previous security changes made to $parse 2014-06-30 09:25:23 -07:00
Peter Bacon Darwin 33e1bdc543 chore(errors): rename folders to match namespaces 2014-02-16 22:02:41 +00:00