Compare commits

...

8 Commits

Author SHA1 Message Date
Georgios Kalpakas 70724e3918 test($log): fix up to work with IE8 2016-12-07 15:18:07 +02:00
Peter Bacon Darwin 9a0156d258 test($log): fix up to work with Safari 9
On Safari 9.0.2, you are not allowed to write to `sourceUrl` or `line`
on a native Error object.

This commit uses a custom error instead.
2016-12-07 14:39:42 +02:00
Peter Bacon Darwin 5730c665e8 docs(CHANGELOG): add 1.2.32 release notes 2016-10-11 22:49:02 +01:00
Peter Bacon Darwin b8a0ecdd61 fix($compile): ensure that hidden input values are correct after history.back
Due to the nature of some browser's PageCache/BFCache, returning to an Angular
app sometimes causes `input[hidden]` elements to retain the last value
that was stored before the page was navigated away from previously.

This is particularly problematic if the input has an interpolated value.
E.g. `<input type="hidden" value="{{ 1 + 2 }}">` since when the browser
returns, instead of the original interpolation template, the HTML contains
the previous value `<input type="hidden" value="3">`.

This commit instructs the browser not to attempt to reinstate the previous
value when navigating back in history by setting `autocomplete="off"` on
the hidden input element element.
2016-10-11 13:48:38 +01:00
Peter Bacon Darwin ed44dd0659 revert:fix(input): ensure that hidden input values are correct after history.back
This reverts commit 7ec663fc70.
There was a regression against angular-material that relied upon the input directive.
2016-10-11 13:39:13 +01:00
Peter Bacon Darwin a5f4d32d01 chore(bower): fix up URL to closure compiler 2016-10-11 07:48:26 +01:00
Peter Bacon Darwin e4fcf9244b docs(CHANGELOG): update with 1.2.30 and 1.2.31 changes 2016-10-10 23:05:24 +01:00
Peter Bacon Darwin 7ec663fc70 fix(input): ensure that hidden input values are correct after history.back
Due to the nature of some browser's PageCache/BFCache, returning to an Angular
app sometimes causes `input[hidden]` elements to retain the last value
that was stored before the page was navigated away from previously.

This is particularly problematic if the input has an interpolated value.
E.g. `<input type="hidden" value="{{ 1 + 2 }}">` since when the browser
returns, instead of the original interpolation template, the HTML contains
the previous value `<input type="hidden" value="3">`.

This commit instructs the browser not to attempt to reinstate the previous
value when navigating back in history by setting `autocomplete="off"` on
the hidden input element element.
2016-10-10 23:01:20 +01:00
4 changed files with 110 additions and 11 deletions
+76
View File
@@ -1,3 +1,79 @@
<a name="1.2.32"></a>
# 1.2.32 alternation-intention (2016-10-10)
This release reverts the fix in 1.2.31 and provides an alternative fix that doesn't break Angular Material.
## Reverts
- **input:** ensure that hidden input values are correct after history back
([ed44dd065](https://github.com/angular/angular.js/commit/ed44dd0659f346ced78a112e4a2b30d3af4fd572))
## Bug Fixes
- **$compile:** ensure that hidden input values are correct after history back
([b8a0ecdd6](https://github.com/angular/angular.js/commit/b8a0ecdd6189fb111734eb5b6d4d473d0dcf4c36))
<a name="1.2.31"></a>
# 1.2.31 barking-moustache (2016-10-10)
## Bug Fixes
- **input:** ensure that hidden input values are correct after history back
([7ec663fc](https://github.com/angular/angular.js/commit/7ec663fc708aa7a9a9ce62d2306f24d7a733a86d))
<a name="1.2.30"></a>
# 1.2.30 patronal-resurrection (2016-07-21)
_**Note:** This release contains some security fixes that required breaking changes. Since the
legacy 1.2.x branch is the only version branch that supports IE8, it was necessary to introduce a
couple of low-impact breaking changes in a patch release - something we generally avoid - in order
to make the fixes available to people that still need IE8 support._
## Bug Fixes
- **$compile:**
- secure `link[href]` as a `RESOURCE_URL`s in `$sce`
([f35f334b](https://github.com/angular/angular.js/commit/f35f334bd3197585bdf034f4b6d9ffa3122dac62),
[#14687](https://github.com/angular/angular.js/issues/14687))
- properly sanitize `xlink:href` attribute interpolation
([f2fa1ed8](https://github.com/angular/angular.js/commit/f2fa1ed83d18d4e79a36f8c0db1c2524d762e513),
[2687c261](https://github.com/angular/angular.js/commit/2687c26140585d9e3716f9f559390f5d8d598fdf))
- **ngSanitize:** blacklist the attribute `usemap` as it can be used as a security exploit
([ac0d5286](https://github.com/angular/angular.js/commit/ac0d5286b8931633d774080d6396fb4825d8be33),
[#14903](https://github.com/angular/angular.js/issues/14903))
- **ngAnimate:** do not use event.timeStamp anymore for time tracking
([8d83b563](https://github.com/angular/angular.js/commit/8d83b5633471c847d58f337426fe069797dd49d9),
[#13494](https://github.com/angular/angular.js/issues/13494), [#13495](https://github.com/angular/angular.js/issues/13495))
## Breaking Changes
- **$compile:** due to [f35f334b](https://github.com/angular/angular.js/commit/f35f334bd3197585bdf034f4b6d9ffa3122dac62),
`link[href]` attributes are now protected via `$sce`, which prevents interpolated values that fail
the `RESOURCE_URL` context tests from being used in interpolation. For example if the application is
running at `https://mydomain.org/` then the following will fail:
```html
<link rel="stylesheet" href="{{ 'https://otherdomain.org/unsafe.css' }}" />
```
By default, `RESOURCE_URL` safe URLs are only allowed from the same domain and protocol as the
application document. To use URLs from other domains and/or protocols, you may either whitelist them
using `$sceDelegateProvider.resourceUrlWhitelist(...)` or wrap them into a trusted value by calling
`$sce.trustAsResourceUrl(url)`.
- **ngSanitize:** due to [234053fc](https://github.com/angular/angular.js/commit/234053fc9ad90e0d05be7e8359c6af66be94c094),
The `$sanitize` service will now remove instances of the `usemap` attribute from any elements passed
to it.
This attribute is used to reference another element by `name` or `id`. Since the `name` and `id`
attributes are already blacklisted, a sanitized `usemap` attribute could only reference unsanitized
content, which is a security risk.
<a name="1.2.29"></a>
# 1.2.29 ultimate-deprecation (2015-09-29)
+1 -1
View File
@@ -2,7 +2,7 @@
"name": "AngularJS",
"devDependencies": {
"jquery": "1.10.2",
"closure-compiler": "https://closure-compiler.googlecode.com/files/compiler-20130603.zip",
"closure-compiler": "https://dl.google.com/closure-compiler/compiler-20130603.zip",
"ng-closure-runner": "https://raw.github.com/angular/ng-closure-runner/v0.2.3/assets/ng-closure-runner.zip"
}
}
+11 -1
View File
@@ -1030,13 +1030,17 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
var nodeType = node.nodeType,
attrsMap = attrs.$attr,
match,
nodeName,
className;
switch(nodeType) {
case 1: /* Element */
nodeName = nodeName_(node).toLowerCase();
// use the node name: <directive>
addDirective(directives,
directiveNormalize(nodeName_(node).toLowerCase()), 'E', maxPriority, ignoreDirective);
directiveNormalize(nodeName), 'E', maxPriority, ignoreDirective);
// iterate over the attributes
for (var attr, name, nName, ngAttrName, value, isNgAttr, nAttrs = node.attributes,
@@ -1076,6 +1080,12 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
}
}
if (nodeName === 'input' && node.getAttribute('type') === 'hidden') {
// Hidden input elements can have strange behaviour when navigating back to the page
// This tells the browser not to try to cache and reinstate previous values
node.setAttribute('autocomplete', 'off');
}
// use class as directive
className = node.className;
if (isString(className) && className !== '') {
+22 -9
View File
@@ -144,16 +144,29 @@ describe('$log', function() {
describe('$log.error', function() {
var e, $log, errorArgs;
beforeEach(function() {
e = new Error('');
e.message = undefined;
e.sourceURL = undefined;
e.line = undefined;
e.stack = undefined;
function TestErrorPrototype() {}
TestErrorPrototype.prototype = Error.prototype;
$log = new $LogProvider().$get[1]({console:{error:function() {
errorArgs = [].slice.call(arguments, 0);
}}});
function TestError() {
Error.prototype.constructor.apply(this, arguments);
this.message = undefined;
this.sourceURL = undefined;
this.line = undefined;
this.stack = undefined;
}
TestError.prototype = new TestErrorPrototype();
TestError.prototype.constructor = TestError;
beforeEach(function() {
e = new TestError('');
var mockWindow = {
console: {
error: function() {
errorArgs = [].slice.call(arguments, 0);
}
}
};
$log = new $LogProvider().$get[1](mockWindow);
});