Compare commits

...

66 Commits

Author SHA1 Message Date
dependabot[bot] d373b35575 chore(deps): bump tar from 4.4.4 to 4.4.19
Bumps [tar](https://github.com/npm/node-tar) from 4.4.4 to 4.4.19.
- [Release notes](https://github.com/npm/node-tar/releases)
- [Changelog](https://github.com/npm/node-tar/blob/main/CHANGELOG.md)
- [Commits](https://github.com/npm/node-tar/compare/v4.4.4...v4.4.19)

---
updated-dependencies:
- dependency-name: tar
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-08-31 16:55:32 +00:00
Gage Guzman ed30c4d0ea docs(README.md): add wiki link to MVC
Add a wiki link to MVC in case people have not heard of it before and
want to read about it more.

Closes #17152
2021-08-24 11:24:46 +03:00
dependabot[bot] 4032655100 chore(deps): bump js-yaml from 3.5.5 to 3.14.1
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 3.5.5 to 3.14.1.
- [Release notes](https://github.com/nodeca/js-yaml/releases)
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodeca/js-yaml/compare/3.5.5...3.14.1)

Closes #17147
2021-06-12 16:25:47 +03:00
dependabot[bot] 47f8c65aca chore(deps): bump normalize-url from 4.5.0 to 4.5.1
Bumps [normalize-url](https://github.com/sindresorhus/normalize-url) from 4.5.0 to 4.5.1.
- [Release notes](https://github.com/sindresorhus/normalize-url/releases)
- [Commits](https://github.com/sindresorhus/normalize-url/commits)

Closes #17145
2021-06-12 15:26:29 +03:00
Michael Prentice 56b0ee3275 chore(e2e): run tests against Chrome 91 on macOS Catalina
Closes #17144
2021-06-12 15:25:34 +03:00
Michael Prentice 58cd897420 chore(e2e): run tests against Firefox 85 on macOS Catalina
Closes #17142
2021-06-12 15:22:18 +03:00
Michael Prentice c3769a6b5b chore(functions): support NodeJS LTS v14. fix audit issues
- update firebase scripts
- from: 6 vulnerabilities found - Severity: 6 High
- to: 0 vulnerabilities found

Closes #17140
2021-06-07 20:02:55 +03:00
Michael Prentice c140d89583 chore(build): support NodeJS LTS v14. fix audit issues
- from:483 vulnerabilities found - 273 Low | 38 Moderate | 168 High | 4 Critical
- to: 389 vulnerabilities found - 259 Low | 28 Moderate | 98 High | 4 Critical

Closes #17139
2021-06-05 20:46:59 +03:00
Michael Prentice 1a5b0517d0 docs(misc/Version Support Status): update URL for XLTS.dev
- the subdomain was switched to a path many months ago
- the angularjs.xlts.dev site will soon be used for hosting something else
  and the redirect removed (ASAP)

Closes #17136
2021-06-01 16:23:10 +03:00
Ikko Ashimine e29900c78f docs($parse): fix typo in parse.js
Propogate -> Propagate
2021-04-22 09:49:07 +01:00
dependabot[bot] 02545a8bab chore(deps): bump y18n from 3.2.1 to 3.2.2
Bumps [y18n](https://github.com/yargs/y18n) from 3.2.1 to 3.2.2.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Closes #17122
2021-03-31 19:45:19 +03:00
Ikko Ashimine 9bff2ce8fb docs($parse): fix typo in lval.ngdoc
assigment -> assignment

Closes #17120
2021-03-09 13:27:46 +02:00
dependabot[bot] d463206d0a chore(deps): bump elliptic from 6.5.3 to 6.5.4
Bumps [elliptic](https://github.com/indutny/elliptic) from 6.5.3 to 6.5.4.
- [Release notes](https://github.com/indutny/elliptic/releases)
- [Commits](https://github.com/indutny/elliptic/compare/v6.5.3...v6.5.4)

Signed-off-by: dependabot[bot] <support@github.com>

Closes #17119
2021-03-09 13:25:06 +02:00
dependabot[bot] ae8e903edf chore(deps): bump bl from 1.2.2 to 1.2.3
Bumps [bl](https://github.com/rvagg/bl) from 1.2.2 to 1.2.3.
- [Release notes](https://github.com/rvagg/bl/releases)
- [Commits](https://github.com/rvagg/bl/compare/v1.2.2...v1.2.3)

Signed-off-by: dependabot[bot] <support@github.com>

Closes #17116
2021-02-06 21:31:35 +02:00
dependabot[bot] 89c7794b21 chore(deps): bump https-proxy-agent from 2.2.1 to 2.2.4
Bumps [https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent) from 2.2.1 to 2.2.4.
- [Release notes](https://github.com/TooTallNate/node-https-proxy-agent/releases)
- [Commits](https://github.com/TooTallNate/node-https-proxy-agent/compare/2.2.1...2.2.4)

Signed-off-by: dependabot[bot] <support@github.com>

Closes #17115
2021-02-06 21:30:54 +02:00
dependabot[bot] 8a941b8ea9 chore(deps): bump ini from 1.3.4 to 1.3.7
Bumps [ini](https://github.com/isaacs/ini) from 1.3.4 to 1.3.7.
- [Release notes](https://github.com/isaacs/ini/releases)
- [Commits](https://github.com/isaacs/ini/compare/v1.3.4...v1.3.7)

Signed-off-by: dependabot[bot] <support@github.com>

Closes #17099
2021-02-06 21:30:11 +02:00
George Kalpakas 30a4424da2 chore(ci): only run deploy-code-firebase on master
Previously, the `deploy-code-firebase` CI job was run on any build
corresponding to a git tag, the master branch or the stable branch.
Given that all runs of `deploy-code-firebase` deploy to the same
Firebase project (and overwrites previous deployments), there is no
point in deploying from multiple branches/tags.

This commit fixes this by ensuring that we only run the
`deploy-code-firebase` job on builds for the master branch, which
contains the most up-to-date code/configuration.
2021-02-06 19:46:27 +02:00
George Kalpakas a6fa1ce76e chore(ci): fix failing deploy-code job
In #17114, the `deploy-code` CI job was modified to also run some
commands via `yarn`. It turns out that this breaks on CI, because the
`deploy-code` job uses the `cloud-sdk` executor that does not have
`yarn` installed. ([Example failure][1])

This commit fixes this by splitting the `deploy-code` job into two jobs:
- `deploy-code-files` uses the `cloud-sdk` and uploads the files to
  Google Cloud.
  (This is essentially the `deploy-code` job from before #17114.)
- `deploy-code-firebase` uses the `default` executor (which has `yarn`
  installed) and deploys to Firebase.
  (This essentially includes the new bits added in #17114.)

[1]: https://circleci.com/gh/angular/angular.js/2712
2021-02-06 13:42:28 +02:00
George Kalpakas 63d613fccf fix(code.angularjs.org): correctly re-construct paths on Windows in sendStoredFile()
Previously, the `sendStoredFile()` Firebase function used `.split('/')`
to split the request path into segments and later used `path.join()` to
join them back together. This worked fine on *nix based systems, which
use `/` as the path separator. On Windows, however, where `\` is the
path separator, the re-constructed paths could not be retrieved from the
Google Cloud Storage bucket. This prevented the Firebase emulators from
working correctly when testing the function locally on Windows.

This commit fixes the issue by using `.join('/')` to join the path
segments back together.

Closes #17114
2021-02-06 11:50:11 +02:00
George Kalpakas ed7d506b7d chore(build): update Firebase dependencies to latest versions
This commit updates `firebase-admin`, `firebase-functions` and
`firebase-tools` to latest versions to take advantage of the most recent
fixes and improvements.
2021-02-06 11:50:06 +02:00
George Kalpakas 12df4d6a00 chore(build): use Node.js v12 for Firebase functions on {code,docs}-angularjs-org 2021-02-06 11:50:06 +02:00
George Kalpakas 4267ad65a5 chore(ci): use default project from config when deploying to Firebase
Previously, when deploying `scripts/{code,docs}.angularjs.org-firebase/`
to Firebase, we explicitly specified the target projects. Since the
project IDs are also specified in the respective `.firebaserc` files,
this was unnecessary (and meant we had multiple places to update if the
IDs changed).

This commit simplifies the process by automatically targeting the
default projects (as configured in the `.firebaserc` files) when
deploying to Firebase in CI.
2021-02-06 11:50:06 +02:00
George Kalpakas 66ada20d1b chore(ci): also deploy code-angularjs-org to Firebase
Previously, we only deployed the built files to Google Cloud Storage for
the `code-angularjs-org` Firebase project. This meant that the other
Firebase services (such as functions, hosting, storage) were not updated
when we made changes to their source code or configuration.
(This isn't a problem at the moment, since the code/configuration for
these service changes infrequently, but could bite us in the future.)

This commit fixes this by ensuring that we deploy to all enabled
Firebase services (currently functions, hosting and storage).
2021-02-06 11:50:06 +02:00
George Kalpakas c7d68fa044 chore(ci): also deploy Firebase functions to docs-angularjs-org
Previously, we only deployed to Firebase hosting for the
`docs-angularjs-org` Firebase project. This meant that the deployed
functions used an old version of Node.js and started failing once
support was dropped for that version. See #17111 for details.

This commit fixes this by ensuring that we deploy to all enabled
Firebase services (currently functions and hosting).

Fixes #17111
Fixes angular/angularjs.org#251
2021-02-06 11:50:06 +02:00
George Kalpakas 667ff87ab5 chore(ci): deploy to docs.angularjs.org from within the corresponding directory
Previously, in order to deploy to Firebase from
`scripts/docs.angularjs.org-firebase/`, we had to copy the
`firebase.json` file to the repository root and adjust the contained
paths accordingly.

By running the `firebase` CLI directly (instead of via `yarn`), we are
able to deploy from `docs.angularjs.org-firebase/` directly. This
simplifies the deployment (and local testing) process and paves the way
for also deploying from `code.angularjs.org-firebase/` in a subsequent
commit.
2021-02-06 11:50:06 +02:00
George Kalpakas b481a16576 chore(ci): copy deployment files inside the respective Firebase directories
We have the `scripts/{code,docs}.angularjs.org-firebase/` directories,
which contain the necessary code and config for deploying built files to
the `code-angularjs-org` and `docs-angularjs-org` Firebase projects
respectively.

Previously, some of the files that needed to be deployed to Firebase (or
Google Cloud) were placed outside these directories (e.g. in
`deploy/{code,docs}/`).

Since these files are only used for deploying to Firebase/Google Cloud,
this commit changes the deployment process to instead copy the files
inside the directories. In a subsequent commit, this will allow
simplifying the deployment process, by running it from inside each
directory instead of having to copy the `firebase.json` files to the
repository root (and adjust the paths).

These are the destination directory changes:

| Before       | After                                       |
|--------------|---------------------------------------------|
| deploy/code/ | scripts/code.angularjs.org-firebase/deploy/ |
| deploy/docs/ | scripts/docs.angularjs.org-firebase/deploy/ |
2021-02-06 11:50:06 +02:00
George Kalpakas 6e052a4243 chore(code.angularjs.org): check in yarn.lock file (and remove package-lock.json)
Since we are using `yarn` to install dependencies, it makes sense to use
`yarn.lock` as the lockfile (and get rid of the unused
`package-lock.json`).
2021-02-06 11:50:05 +02:00
George Kalpakas 2e72ea13fa docs(changelog): fix typos in 1.8.1/1.8.2 notes
- Remove stray backtick.
- Add missing preposition (`identical` --> `identical to`).
- Remove 1.8.1 change from the 1.8.2 section.

Closes #17093
2020-10-25 11:42:13 +02:00
Pete Bacon Darwin 9b3b6f7f79 docs(changelog): add release notes for 1.8.2 2020-10-21 12:48:47 +01:00
George Kalpakas e41f018959 fix($sceDelegate): make resourceUrlWhitelist() is identical trustedResourceUrlList()
In commit a206e2675c, `$sceDelegateProvider`'s
`resourceUrlWhitelist()` was deprecated in favor of the new
`trustedResourceUrlList()`. However, although both properties were
assigned the same value, it was possible for an app to break if one of
the properties was overwritten in one part of the app (or a 3rd-party
library) while another part of the app interacts with the other,
non-overwritten property.

This commit fixes it by making `resourceUrlWhitelist()` a getter/setter
that delegates to `trustedResourceUrlList()`, ensuring that the two
properties will remain in sync. This, also, makes it consistent with
other similar deprecated properties, such as `$sceDelegateProvider`'s
`resourceUrlBlacklist()`.

Closes #17090
2020-10-14 15:44:24 +03:00
George Kalpakas 71d19f120a docs(*): fix docs on recently deprecated properties/methods
In commits 9679e58ec4e9d9e4b743..3dd42cea688a7b6f7789, some properties
and methods names including the terms whitelist/blacklist were
deprecated in favor of new ones not including the terms.

This commit fixes some typos in docs related to these changes and adds
links to the new properties/methods in the changelog for easier access.

Fixes #17088
2020-10-14 15:44:24 +03:00
frosty 8aa3389ed6 docs(version-support-status): add link to extended long term support 2020-10-08 19:16:57 +01:00
Pete Bacon Darwin bb480064b9 docs(changelog): add release notes for 1.8.1 2020-10-05 14:04:33 +01:00
George Kalpakas 6b86a888cb chore(CircleCI): fix deploy-docs job
Since #17039, our docs Firebase functions' `package.json` specifies a
`node` engine version. This is required for configuring which version of
Node.js should Firebase use to execute the functions. However, since
Firebase is using an older version of Node.js than the one we use to
build the AngularJS project, yarn would error due to incompatible
Node.js engine versions ([example failure][1]).

This commit avoids the error by running yarn with the `--ignore-engines`
option.

[1]: https://app.circleci.com/pipelines/github/angular/angular.js/214/
     workflows/ad2e9baf-7249-467d-bc71-bd98e6cd922c/jobs/2247
2020-10-01 02:15:59 +03:00
dependabot[bot] f17c7d8f66 chore(deps): bump node-fetch from 2.6.0 to 2.6.1
Bumps [node-fetch](https://github.com/bitinn/node-fetch) from 2.6.0 to 2.6.1.
- [Release notes](https://github.com/bitinn/node-fetch/releases)
- [Changelog](https://github.com/node-fetch/node-fetch/blob/master/docs/CHANGELOG.md)
- [Commits](https://github.com/bitinn/node-fetch/compare/v2.6.0...v2.6.1)

Signed-off-by: dependabot[bot] <support@github.com>

Closes #17073
2020-10-01 00:54:33 +03:00
dependabot[bot] e7c105c592 chore(deps): bump node-fetch
Bumps [node-fetch](https://github.com/bitinn/node-fetch) from 2.6.0 to 2.6.1.
- [Release notes](https://github.com/bitinn/node-fetch/releases)
- [Changelog](https://github.com/node-fetch/node-fetch/blob/master/docs/CHANGELOG.md)
- [Commits](https://github.com/bitinn/node-fetch/compare/v2.6.0...v2.6.1)

Signed-off-by: dependabot[bot] <support@github.com>

Closes #17072
2020-10-01 00:53:44 +03:00
dependabot[bot] d0e7dc14bb chore(deps): bump node-fetch
Bumps [node-fetch](https://github.com/bitinn/node-fetch) from 2.6.0 to 2.6.1.
- [Release notes](https://github.com/bitinn/node-fetch/releases)
- [Changelog](https://github.com/node-fetch/node-fetch/blob/master/docs/CHANGELOG.md)
- [Commits](https://github.com/bitinn/node-fetch/compare/v2.6.0...v2.6.1)

Signed-off-by: dependabot[bot] <support@github.com>

Closes #17071
2020-10-01 00:52:21 +03:00
dependabot[bot] 0a746a2521 chore(deps): bump http-proxy from 1.16.2 to 1.18.1
Bumps [http-proxy](https://github.com/http-party/node-http-proxy) from 1.16.2 to 1.18.1.
- [Release notes](https://github.com/http-party/node-http-proxy/releases)
- [Changelog](https://github.com/http-party/node-http-proxy/blob/master/CHANGELOG.md)
- [Commits](https://github.com/http-party/node-http-proxy/compare/1.16.2...1.18.1)

Signed-off-by: dependabot[bot] <support@github.com>

Closes #17070
2020-10-01 00:50:49 +03:00
Michael Prentice 2f73f6a8c0 chore(copyright): update to Google LLC
- fix minor typo in comment

Relates to angular/angular#27880

Closes #17062
2020-10-01 00:49:43 +03:00
George Kalpakas e1ecd184c5 chore(SauceLabs): update sauce-connect to version 4.6.2
Closes #17078
2020-10-01 00:47:23 +03:00
Martin Staffa abff650016 chore(ci): add engines to docs firebase deployment
According to the Firebase docs, this field is necessary: https://firebase.google.com/docs/functions/manage-functions#set_nodejs_version
It's also a good idea to set it because NodeJS 8 is end-of-life, and Firebase will require Node 10 for all functions by  March 15, 2021.
2020-09-30 19:41:06 +01:00
dependabot[bot] b96a1de842 chore(deps): bump is-my-json-valid from 2.15.0 to 2.20.5
Bumps [is-my-json-valid](https://github.com/mafintosh/is-my-json-valid) from 2.15.0 to 2.20.5.
- [Release notes](https://github.com/mafintosh/is-my-json-valid/releases)
- [Commits](https://github.com/mafintosh/is-my-json-valid/compare/v2.15.0...v2.20.5)

Signed-off-by: dependabot[bot] <support@github.com>
2020-09-30 19:35:46 +01:00
Michael Prentice b42ab51ad9 docs(security): add SECURITY.md 2020-09-30 19:34:45 +01:00
Joey Perrott 3dd42cea68 refactor(misc): remove usages of whitelist and blacklist
Remove miscellaneous usages and references to usages of whitelist and blacklist
throughout the repository.
2020-09-30 18:46:45 +01:00
Joey Perrott 767381020d refactor(SanitizeUriProvider): remove usages of whitelist
Changes aHrefSanitizationWhitelist to aHrefSanitizationTrustedUri and imgSrcSanitizationWhitelist
to imgSrcSanitizationTrustedUri updating references to use the new symbols.

For the purposes of backward compatibility, the previous symbols are aliased to
the new symbols.
2020-09-30 18:46:45 +01:00
Joey Perrott c953af6b8c refactor(httpProvider): remove usages of whitelist and blacklist
Changes xsrfWhitelistedOrigins to xsrfTrustedOrigins updating references to use
this new symbol.

For the purposes of backward compatibility, the previous symbol is aliased to
the new symbol.
2020-09-30 18:46:45 +01:00
Joey Perrott a206e2675c refactor(sceDelegateProvider): remove usages of whitelist and blacklist
Changes resourceUrlWhitelist to trustedResourceUrlList and resourceUrlBlacklist
to bannedResourceUrlList, updating references to use this new symbol.

For the purposes of backward compatibility, the previous symbols are aliased to
their new symbol.
2020-09-30 18:46:45 +01:00
George Kalpakas 9679e58ec4 chore(ci): correctly compute $DIST_TAG in the deploy-code CI job
Previously, the `DIST_TAG` environment variable was failing to be
computed correctly in the `deploy-code` CI job, because it relied on the
non-existent `node` executable. It worked with the default executor
(which includes `node`), but not with the `cloud-sdk` executor used in
`deploy-code`, resulting in the following error:

```sh
./.circleci/env.sh: line 59: node: command not found
DIST_TAG=
```

You can see an example failure in the "Set up environment" step logs in
https://app.circleci.com/pipelines/github/angular/angular.js/
170/workflows/32fcacf9-c89b-4020-b3eb-15debe18bb67/jobs/1793

This commit fixes it by computing `$DIST_TAG` using unix tools (`cat`,
`grep`, `sed`) that _are_ available on the docker images of all
executors.

Closes #17067
2020-08-22 22:03:58 +03:00
George Kalpakas 26e13e5797 chore(ci): fix docs deployment to Firebase (deploy-docs CI job)
Previously, the command used to deploy the docs to Firebase (as part of
the `deploy-docs` CI job) would fail, because no target project was
specified (either directly in the command or indirectly via a
`.firebaserc` file in the working directory).

Example failure:
https://app.circleci.com/pipelines/github/angular/angular.js/
166/workflows/34c692ec-18d4-4422-a1cf-108a91219fa5/jobs/1744

This commit fixes the command by specifying the project via the
`--project` cli argument. It also adds the commit SHA as message to make
it easier to associate a deployment with the corresponding commit.

Closes #17066
2020-08-22 18:50:06 +03:00
George Kalpakas 4428dd0c0f chore(ci): correctly compute the DIST_TAG environment variable
Previously, the `DIST_TAG` environment variable was failing to be
computed correctly, because it was using the non-existent `jq` tool. In
the past (when running on TravisCI), `jq` used to be available, but it
is not on the currently used CircleCI docker image, resulting in the
following error:

```sh
./.circleci/env.sh: line 59: jq: command not found
DIST_TAG=
```

You can see an example failure in the "Set up environment" step logs in
https://app.circleci.com/pipelines/github/angular/angular.js/
166/workflows/34c692ec-18d4-4422-a1cf-108a91219fa5/jobs/1742

This commit fixes it by using `node` (which _is_ available on the docker
image) to compute `$DIST_TAG`.
2020-08-22 18:50:05 +03:00
George Kalpakas a6a6c16195 chore(ci): avoid deploying if linting fails
Previously, the `prepare-deployment` CI job, which requires all unit and
e2e test jobs to have succeeded before running, was ignoring the `lint`
job. As a result, deployments might happen even when there were linting
issues. This looks like an oversight.

This commit ensures that, in addition to unit and e2e tests passing,
linting must also pass before deploying the code or documentation.

Closes #17063
2020-08-21 17:32:55 +03:00
George Kalpakas 744862ac31 chore(ci): fix deploy-docs CI job
One step in the `deploy-docs` CI job contains a typo that causes it to
fail: `yarn -cwd ...` instead of `yarn --cwd ...`
This has been broken since a0488b30a7, but
has not been noticed because the job was not running. #17060 configured
the job to run as necessary, which brought up the error.

Example failure:
  - On v1.8.x:
    https://app.circleci.com/pipelines/github/angular/angular.js/
    153/workflows/6a9826ac-d191-4042-8c39-0c969c81e381/jobs/1606

This commit fixes the typo in the command.
2020-08-21 17:32:25 +03:00
George Kalpakas 3e62832680 chore(ci): fix deploy-code CI job
In #17060, the `deploy-code` job was updated to [include][1] the
`init_environment` custom command. This caused the job to start failing,
because  the `init_environment` command was not compatible with the
`cloud-sdk` executor used in `deploy-code`. There were two problems:

1. The `init_environment` command assumes that the working directory is
   `~/ng`. The `cloud-sdk` executor [did not specify][2] a working
   directory.
   Example failures:
     - On master:
       https://app.circleci.com/pipelines/github/angular/angular.js/
       152/workflows/812df7b2-4bba-4e9e-a868-8c58db5d40d1/jobs/1594
     - On v1.8.x:
       https://app.circleci.com/pipelines/github/angular/angular.js/
       153/workflows/6a9826ac-d191-4042-8c39-0c969c81e381/jobs/1607

2. The `install_java` step, which is part of the `init_environment`
   command, relies on `sudo`, which is not available in the `cloud-sdk`
   executor.
   Example failure:
   - [On a PR]:
     https://app.circleci.com/pipelines/github/angular/angular.js/
     160/workflows/2eed5cfa-751c-44ba-b825-1d6cd5ba3406/jobs/1660

This commit fixes the issues by:
1. Specifying a working directory for the `cloud-sdk` executor. It also
   updates paths used in other steps of the `deploy-code` job to take
   the working directory into account.
2. Removing the `install_java` step from the `init_environment` command
   and adding it explicitly to jobs than require it.

[1]: https://github.com/angular/angular.js/blob/83f084e5db95768dcee5/.circleci/config.yml#L359
[2]: https://github.com/angular/angular.js/blob/83f084e5db95768dcee5/.circleci/config.yml#L34-L37
2020-08-21 17:32:25 +03:00
George Kalpakas 83f084e5db chore(ci): avoid unnecessarily running grunt prepareDeploy in deploy-docs CI job
Previously, the `grunt prepareDeploy` command was run in both the
`prepare-deployment` and `deploy-docs` CI jobs. The reason was that not
all files affected by `grunt prepareDeploy` were persisted to the
workspace across jobs.

More specifically, the command would affect files in the `deploy/` and
`scripts/docs.angularjs.org-firebase/` directories and also create a
`firebase.json` file at the root directory, but only the `deploy/`
directory was [persisted to the workspace][1].

This commit avoids unnecessarily running the `grunt prepareDeploy`
command in the `deploy-docs` CI job by ensuring that all affected files
will be persisted to the workspace in the `prepare-deployment` CI job,
which always runs before `deploy-docs`.

[1]: https://github.com/angular/angular.js/blob/295213df953766625462/.circleci/config.yml#L265

Closes #17060
2020-08-13 14:57:18 +03:00
George Kalpakas 046887048a chore(ci): correctly deploy code and docs on version branches and tags
Previously, the generated build artifacts and docs were only deployed
for builds associated with the master branch. There was also a `latest`
branch mentioned in the config, but there is normally no such branch, so
this had no effect.

This commit fixes the rules so that deployments happen when necessary.
More specifically:
- The `deploy-code` job now runs for builds associated with:
  - The master branch.
  - The stable branch (i.e. the branch from which the version tagged as
    `@latest` on npm is released).
  - Tags of the form `v1.X.Y(-Z)`. (This also required configuring
    CircleCI to run builds for git tags, which does not happen by
    default.)
- The `deploy-docs` job now runs for builds associated with:
  - The stable branch (i.e. the branch from which the version tagged as
    `@latest` on npm is released).

The new rules for when deployments should take place are based on the
logic previously in [.travis.yml][1] and [scripts/travis/build.sh][2]
(from before we switched from Travis to CircleCI).

[1]: https://github.com/angular/angular.js/blob/974700af7c1/.travis.yml#L54-L103
[2]: https://github.com/angular/angular.js/blob/974700af7c1/scripts/travis/build.sh#L66-L101
2020-08-13 14:56:34 +03:00
George Kalpakas f9b5cbfcf7 chore(package.json): update docs app to use version 1.8 of AngularJS
As mentioned in `RELEASE.md`, now that the [CDN][1] has been updated
with the 1.8.0 version, it is safe to bump the value of the
`branchVersion` property in `package.json` to `^1.8.0`. This will cause
the docs app to use the latest version, namely 1.8.0.

[1]: https://ajax.googleapis.com/ajax/libs/angularjs/1.8.0/angular.js
2020-08-13 14:56:34 +03:00
dependabot[bot] 0d14993d75 chore(deps): bump elliptic from 6.3.3 to 6.5.3
Bumps [elliptic](https://github.com/indutny/elliptic) from 6.3.3 to 6.5.3.
- [Release notes](https://github.com/indutny/elliptic/releases)
- [Commits](https://github.com/indutny/elliptic/compare/v6.3.3...v6.5.3)

Signed-off-by: dependabot[bot] <support@github.com>

Closes #17059
2020-07-30 18:44:04 +03:00
Ewa G 5541828ff4 docs(misc/Version Support Status): mention LTS extension by 6 months due to COVID
Due to COVID-19 affecting teams migrating from AngularJS, the Long Term Support period has been
extended by 6 months (until the end of 2021). See announcement on Twitter:
https://twitter.com/angular/status/1287780634572857357

This commit updates the "Version Support Status" page to also mention the extension.

Partially addresses #17058.
2020-07-30 12:25:28 +03:00
George Kalpakas 4099279426 fix(doc-gen): use the correct lodash method in dgeni processor (indexBy --> keyBy)
The `indexBy()` method was renamed to `keyBy()` in lodash v4 (see
lodash/lodash@b1d52ccd82). This commit
updates all usages of `indexBy()` to `keyBy()`.
2020-07-16 19:32:02 +03:00
dependabot[bot] 01ed44efd6 chore(deps-dev): bump lodash from 2.4.2 to 4.17.19
Bumps [lodash](https://github.com/lodash/lodash) from 2.4.2 to 4.17.19.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/2.4.2...4.17.19)

Signed-off-by: dependabot[bot] <support@github.com>
2020-07-16 19:32:02 +03:00
dependabot[bot] 49655fac26 chore(deps): bump lodash
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.15...4.17.19)

Signed-off-by: dependabot[bot] <support@github.com>
2020-07-16 15:48:27 +03:00
dependabot[bot] 42abc8270a chore(deps): bump lodash
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.15...4.17.19)

Signed-off-by: dependabot[bot] <support@github.com>
2020-07-16 12:15:17 +03:00
dependabot[bot] d6ae0ee772 Merge pull request #17043 from angular/dependabot/npm_and_yarn/scripts/docs.angularjs.org-firebase/functions/websocket-extensions-0.1.4
chore(deps): bump websocket-extensions from 0.1.3 to 0.1.4 in /scripts/docs.angularjs.org-firebase/functions
2020-06-11 11:47:40 +01:00
dependabot[bot] 94dc1d0e6d chore(deps): bump websocket-extensions
Bumps [websocket-extensions](https://github.com/faye/websocket-extensions-node) from 0.1.3 to 0.1.4.
- [Release notes](https://github.com/faye/websocket-extensions-node/releases)
- [Changelog](https://github.com/faye/websocket-extensions-node/blob/master/CHANGELOG.md)
- [Commits](https://github.com/faye/websocket-extensions-node/compare/0.1.3...0.1.4)

Signed-off-by: dependabot[bot] <support@github.com>
2020-06-11 11:46:25 +01:00
Harri Lehtola 2fab3d4e00 fix($sanitize): do not trigger CSP alert/report in Firefox and Chrome
If `ngSanitize` is added as a module dependency and a Content-Security-Policy
is set that does not allow inline styles then Firefox and Chrome show the
following message:

> Content Security Policy: The page’s settings observed the loading of a
resource at self (“default-src”). A CSP report is being sent.

This message is caused because AngularJS is creating an inline style tag
to test for a browser bug that we use to decide what sanitization strategy
to use, which causes CSP violation errors if inline CSS is prohibited.

This test is no longer necessary, since the `DOMParser` is now safe to use
and the `style` based check is redundant.

In this fix, we default to using `DOMParser` if it is available and fall back
to `createHTMLDocument()` if needed. This is the approach used by DOMPurify
too.

The related unit tests in `sanitizeSpec.js`, "should not allow JavaScript
execution when creating inert document" and "should not allow JavaScript
hidden in badly formed HTML to get through sanitization (Firefox bug)", are
left untouched to assert that the behavior hasn't changed in those scenarios.

Fixes #16463.
2020-06-11 11:41:27 +01:00
Pete Bacon Darwin 72fbd48f2a chore: update changelog with vulnerability credits 2020-06-05 13:35:32 +01:00
57 changed files with 4960 additions and 4881 deletions
+189 -38
View File
@@ -28,18 +28,110 @@ executors:
type: string
default: medium
docker:
- image: circleci/node:12.16.3@sha256:8fe514dae7585bbee1c64bf5a6cd4dcdf393316b5c87565b47e31014872c8860
- image: circleci/node:14.16.1@sha256:b094e85848b43209ca83d9bb114d406fe62c75cb73b18c9d8eb1a9c6462c97d4
resource_class: << parameters.resource_class >>
working_directory: ~/ng
cloud-sdk:
description: The docker container to use when running gcp-gcs commands
docker:
- image: google/cloud-sdk:alpine@sha256:7d0cae28cb282b76f2d9babe278c63c910d54f0cceca7a65fdf6806e2b43882e
working_directory: ~/ng
# Filter Definitions
# Filter to run a job on all branches and any `v1.X.Y(-Z)` tags.
# Since the jobs need to run on tagged builds too, a `tags` section has to be explicitly specified.
# (The `branches` section could be omitted, since it defaults to all branches - just being explicit
# here).
# See also https://circleci.com/docs/2.0/workflows/#executing-workflows-for-a-git-tag.
var-filter-run-always: &run-always
filters:
branches:
only: /.*/
tags:
only: /v1\.\d+\.\d.*/
# Filter to run a job when code might need to be deployed - i.e. on builds for the `master` branch.
# (Further checks are needed to determine whether a deployment is actually needed, but these are not
# possible via filters.)
var-filter-run-on-master: &run-on-master
filters:
branches:
only:
- master
tags:
ignore: /.*/
# Filter to run a job when code/docs might need to be deployed - i.e. on tagged builds and on builds
# for master and `v1.*.x` branches.
# (Further checks are needed to determine whether a deployment is actually needed, but these are not
# possible via filters.)
var-filter-run-on-tags-and-master-and-version-branches: &run-on-tags-and-master-and-version-branches
filters:
branches:
only:
- master
- /v1\.\d+\.x/
tags:
only: /v1\.\d+\.\d.*/
# Filter to run a job when docs might need to be deployed - i.e. on builds for `v1.*.x` branches,
# which might correspond to the stable branch.
# (Further checks are needed to determine whether a deployment is actually needed, but these are not
# possible via filters.)
var-filter-run-on-version-branches: &run-on-version-branches
filters:
branches:
only:
- /v1\.\d+\.x/
tags:
ignore: /.*/
# Command Definitions
# https://circleci.com/docs/2.0/reusing-config/#authoring-reusable-commands
commands:
skip_on_pr_and_fork_builds:
description: Skip a job on pull request and fork builds
steps:
- run:
name: Skip this job if this is a pull request or fork build
# Note: Using `CIRCLE_*` env variables (instead of those defined in `env.sh` so that this
# step can be run before `init_environment`.
command: >
if [[ -n "$CIRCLE_PR_NUMBER" ]] ||
[[ "$CIRCLE_PROJECT_USERNAME" != "angular" ]] ||
[[ "$CIRCLE_PROJECT_REPONAME" != "angular.js" ]]; then
echo "Skipping this job, because this is either a pull request or a fork build."
circleci step halt
fi
skip_unless_stable_branch:
description: Skip a job unless this is the stable branch
steps:
- run:
name: Skip this job unless this is the stable branch
command: >
if [[ "$DIST_TAG" != "latest" ]]; then
echo "Skipping deployment, because this is not the stable branch."
circleci step halt
fi
skip_unless_tag_or_master_or_stable_branch:
description: Skip a job unless this is a tag or the master or stable branch
steps:
- run:
name: Skip this job unless this is a tag or the master or stable branch
command: >
if [[ "$CI_GIT_TAG" == "false" ]] &&
[[ "$CI_BRANCH" != "master" ]] &&
[[ "$DIST_TAG" != "latest" ]]; then
echo "Skipping this job, because this is neither a tag nor the master or stable branch."
circleci step halt
fi
custom_attach_workspace:
description: Attach workspace at a predefined location
steps:
@@ -77,7 +169,6 @@ commands:
echo 'github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==' >> ~/.ssh/known_hosts
git config --global url."ssh://git@github.com".insteadOf "https://github.com" || true
git config --global gc.auto 0 || true
- install_java
init_saucelabs_environment:
description: Sets up a domain that resolves to the local host.
@@ -112,7 +203,6 @@ commands:
name: Stopping Saucelabs tunnel service
command: ./lib/saucelabs/sauce-service.sh stop
run_e2e_tests:
parameters:
specs:
@@ -152,6 +242,7 @@ jobs:
steps:
- checkout
- init_environment
- install_java
- run:
name: Running Yarn install
command: yarn install --frozen-lockfile --non-interactive
@@ -180,6 +271,7 @@ jobs:
steps:
- custom_attach_workspace
- init_environment
- install_java
- init_saucelabs_environment
- run: yarn grunt test:promises-aplus
- run:
@@ -255,6 +347,7 @@ jobs:
executor:
name: default-executor
steps:
- skip_on_pr_and_fork_builds
- custom_attach_workspace
- init_environment
- run: yarn grunt prepareDeploy
@@ -262,26 +355,23 @@ jobs:
- persist_to_workspace:
root: *workspace_location
paths:
- ./ng/deploy
- ./ng
deploy-docs:
executor:
name: default-executor
steps:
- custom_attach_workspace
- init_environment
- run: yarn grunt prepareDeploy
# Install dependencies for Firebase functions to prevent parsing errors during deployment
# See https://github.com/angular/angular.js/pull/16453
- run: yarn -cwd ~/ng/scripts/docs.angularjs.org-firebase/functions
- run: yarn firebase deploy --token "$FIREBASE_TOKEN" --only hosting
deploy-code:
# The `deploy-code-files` job should only run when all of these conditions are true for the build:
# - It is for the `angular/angular.js` repository (not a fork).
# - It is not for a pull request.
# - It is for a tag or the master branch or the stable branch(*).
#
# *: The stable branch is the one that has the value `latest` in `package.json > distTag`.
deploy-code-files:
executor:
name: cloud-sdk
steps:
- skip_on_pr_and_fork_builds
- custom_attach_workspace
- run: ls ~/ng/deploy/code
- init_environment
- skip_unless_tag_or_master_or_stable_branch
- run: ls scripts/code.angularjs.org-firebase/deploy
- run:
name: Authenticate and configure Docker
command: |
@@ -290,48 +380,113 @@ jobs:
- run:
name: Sync files to code.angularjs.org
command: |
gsutil -m rsync -r ~/ng/deploy/code gs://code-angularjs-org-338b8.appspot.com
gsutil -m rsync -r scripts/code.angularjs.org-firebase/deploy gs://code-angularjs-org-338b8.appspot.com
# The `deploy-code-firebase` job should only run when all of these conditions are true for the build:
# - It is for the `angular/angular.js` repository (not a fork).
# - It is not for a pull request.
# - It is for the master branch.
# (This is enforced via job filters, so we don't need to a step to check it here.)
deploy-code-firebase:
executor:
name: default-executor
steps:
- skip_on_pr_and_fork_builds
- custom_attach_workspace
- init_environment
# Install dependencies for Firebase functions to prevent parsing errors during deployment.
# See https://github.com/angular/angular.js/pull/16453.
- run:
name: Install dependencies in `scripts/code.angularjs.org-firebase/functions/`.
working_directory: scripts/code.angularjs.org-firebase/functions
command: yarn install --frozen-lockfile --ignore-engines --non-interactive
- run:
name: Deploy to Firebase from `scripts/code.angularjs.org-firebase/`.
working_directory: scripts/code.angularjs.org-firebase
command: |
# Do not use `yarn firebase` as that causes the Firebase CLI to look for `firebase.json`
# in the root directory, even if run from inside `scripts/code.angularjs.org-firebase/`.
firebase=$(yarn bin)/firebase
$firebase use
$firebase deploy --message "Commit:\ $CI_COMMIT" --non-interactive --token "$FIREBASE_TOKEN"
# The `deploy-docs` job should only run when all of these conditions are true for the build:
# - It is for the `angular/angular.js` repository (not a fork).
# - It is not for a pull request.
# - It is for the stable branch(*).
#
# *: The stable branch is the one that has the value `latest` in `package.json > distTag`.
deploy-docs:
executor:
name: default-executor
steps:
- skip_on_pr_and_fork_builds
- custom_attach_workspace
- init_environment
- skip_unless_stable_branch
# Install dependencies for Firebase functions to prevent parsing errors during deployment.
# See https://github.com/angular/angular.js/pull/16453.
- run:
name: Install dependencies in `scripts/docs.angularjs.org-firebase/functions/`.
working_directory: scripts/docs.angularjs.org-firebase/functions
command: yarn install --frozen-lockfile --ignore-engines --non-interactive
- run:
name: Deploy to Firebase from `scripts/docs.angularjs.org-firebase/`.
working_directory: scripts/docs.angularjs.org-firebase
command: |
# Do not use `yarn firebase` as that causes the Firebase CLI to look for `firebase.json`
# in the root directory, even if run from inside `scripts/docs.angularjs.org-firebase/`.
firebase=$(yarn bin)/firebase
$firebase use
$firebase deploy --message "Commit:\ $CI_COMMIT" --non-interactive --token "$FIREBASE_TOKEN"
workflows:
version: 2
default_workflow:
jobs:
- setup
- setup:
<<: *run-always
- lint:
<<: *run-always
requires:
- setup
- unit-test:
<<: *run-always
requires:
- setup
- unit-test-jquery:
<<: *run-always
requires:
- setup
- e2e-test-1:
<<: *run-always
requires:
- setup
- e2e-test-2a:
<<: *run-always
requires:
- setup
- e2e-test-2b:
<<: *run-always
requires:
- setup
- e2e-test-jquery-1:
<<: *run-always
requires:
- setup
- e2e-test-jquery-2a:
<<: *run-always
requires:
- setup
- e2e-test-jquery-2b:
<<: *run-always
requires:
- setup
- prepare-deployment:
filters:
branches:
only:
- master
- latest
<<: *run-on-tags-and-master-and-version-branches
requires:
- setup
- lint
- unit-test
- unit-test-jquery
- e2e-test-1
@@ -340,19 +495,15 @@ workflows:
- e2e-test-jquery-1
- e2e-test-jquery-2a
- e2e-test-jquery-2b
- deploy-code-files:
<<: *run-on-tags-and-master-and-version-branches
requires:
- prepare-deployment
- deploy-code-firebase:
<<: *run-on-master
requires:
- prepare-deployment
- deploy-docs:
filters:
branches:
only:
- latest
requires:
- prepare-deployment
- deploy-code:
filters:
branches:
only:
- master
- latest
<<: *run-on-version-branches
requires:
- prepare-deployment
+5 -4
View File
@@ -19,10 +19,9 @@ setPublicVar PROJECT_ROOT "$projectDir";
setPublicVar CI_BRANCH "$CIRCLE_BRANCH";
setPublicVar CI_BUILD_URL "$CIRCLE_BUILD_URL";
setPublicVar CI_COMMIT "$CIRCLE_SHA1";
# `CI_COMMIT_RANGE` is only used on push builds (a.k.a. non-PR, non-scheduled builds and rerun
# workflows of such builds).
setPublicVar CI_GIT_BASE_REVISION "${CIRCLE_GIT_BASE_REVISION}";
setPublicVar CI_GIT_REVISION "${CIRCLE_GIT_REVISION}";
setPublicVar CI_GIT_TAG "${CIRCLE_TAG:-false}";
setPublicVar CI_COMMIT_RANGE "$CIRCLE_GIT_BASE_REVISION..$CIRCLE_GIT_REVISION";
setPublicVar CI_PULL_REQUEST "${CIRCLE_PR_NUMBER:-false}";
setPublicVar CI_REPO_NAME "$CIRCLE_PROJECT_REPONAME";
@@ -57,12 +56,14 @@ setPublicVar SAUCE_READY_FILE_TIMEOUT 120
####################################################################################################
# Define additional environment variables
####################################################################################################
setPublicVar DIST_TAG $( jq ".distTag" "package.json" | tr -d "\"[:space:]" )
# NOTE: Make sure the tools used to compute this are available in all executors in `config.yml`.
setPublicVar DIST_TAG $( cat package.json | grep distTag | sed -E 's/^\s*"distTag"\s*:\s*"([^"]+)"\s*,\s*$/\1/' )
####################################################################################################
####################################################################################################
## Source `$BASH_ENV` to make the variables available immediately. ##
## ***NOTE: This must remain the the last action in this script*** ##
## *** NOTE: This must remain the last command in this script. *** ##
####################################################################################################
####################################################################################################
source $BASH_ENV;
+1 -1
View File
@@ -15,7 +15,7 @@
// Stylistic issues
"block-spacing": ["error", "always"],
"comma-spacing": "error",
"id-blacklist": ["error", "event"],
"id-denylist": ["error", "event"],
"indent": ["error", 2],
"key-spacing": ["error", { "beforeColon": false, "afterColon": true, "mode": "minimum" }],
"object-curly-spacing": ["error", "never"],
+2 -2
View File
@@ -1,5 +1,4 @@
/build/
/deploy/
/benchpress-build/
.DS_Store
gen_docs.disable
@@ -23,5 +22,6 @@ npm-debug.log
.vscode
*.log
*.stackdump
scripts/code.angularjs.org-firebase/deploy
scripts/docs.angularjs.org-firebase/deploy
scripts/docs.angularjs.org-firebase/functions/content
/firebase.json
+1 -1
View File
@@ -1 +1 @@
12
14.16.1
+45
View File
@@ -1,7 +1,52 @@
<a name="1.8.2"></a>
# 1.8.2 meteoric-mining (2020-10-21)
## Bug Fixes
- **$sceDelegate:** ensure that `resourceUrlWhitelist()` is identical to `trustedResourceUrlList()`
([e41f01](https://github.com/angular/angular.js/commit/e41f018959934bfbf982ba996cd654b1fce88d43),
[#17090](https://github.com/angular/angular.js/issues/17090))
<a name="1.8.1"></a>
# 1.8.1 mutually-supporting (2020-09-30)
## Bug Fixes
- **$sanitize:** do not trigger CSP alert/report in Firefox and Chrome
([2fab3d](https://github.com/angular/angular.js/commit/2fab3d4e00f4fe35bfa3cf255160cb97404baf24))
## Refactorings
- **SanitizeUriProvider:** remove usages of whitelist
([76738102](https://github.com/angular/angular.js/commit/767381020d88bda2855ac87ca6f00748907e14ff))
- **httpProvider:** remove usages of whitelist and blacklist
([c953af6b](https://github.com/angular/angular.js/commit/c953af6b8cfeefe4acc0ca358550eed5da8cfe00))
- **sceDelegateProvider:** remove usages of whitelist and blacklist
([a206e267](https://github.com/angular/angular.js/commit/a206e2675c351c3cdcde3402978126774c1c5df9))
## Deprecation Notices
- Deprecated ~~`$compileProvider.aHrefSanitizationWhitelist`~~.
It is now [`aHrefSanitizationTrustedUrlList`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationTrustedUrlList).
- Deprecated ~~`$compileProvider.imgSrcSanitizationWhitelist`~~.
It is now [`imgSrcSanitizationTrustedUrlList`](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationTrustedUrlList).
- Deprecated ~~`$httpProvider.xsrfWhitelistedOrigins`~~.
It is now [`xsrfTrustedOrigins`](https://docs.angularjs.org/api/ng/provider/$httpProvider#xsrfTrustedOrigins).
- Deprecated ~~`$sceDelegateProvider.resourceUrlWhitelist`~~.
It is now [`trustedResourceUrlList`](https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#trustedResourceUrlList).
- Deprecated ~~`$sceDelegateProvider.resourceUrlBlacklist`~~.
It is now [`bannedResourceUrlList`](https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#bannedResourceUrlList).
For the purposes of backward compatibility, the previous symbols are aliased to their new symbol.
<a name="1.8.0"></a>
# 1.8.0 nested-vaccination (2020-06-01)
_This release contains a breaking change to resolve a security issue which was discovered by
Krzysztof Kotowicz(@koto); and independently by Esben Sparre Andreasen (@esbena) while
performing a Variant Analysis of [CVE-2020-11022](https://github.com/advisories/GHSA-gxr4-xjj5-5px2)
which itself was found and reported by Masato Kinugawa (@masatokinugawa)._
## Bug Fixes
- **jqLite:**
- prevent possible XSS due to regex-based HTML replacement
+9 -9
View File
@@ -14,6 +14,7 @@ var semver = require('semver');
var exec = require('shelljs').exec;
var pkg = require(__dirname + '/package.json');
var codeScriptFolder = util.codeScriptFolder;
var docsScriptFolder = util.docsScriptFolder;
// Node.js version checks
@@ -166,9 +167,9 @@ module.exports = function(grunt) {
build: ['build'],
tmp: ['tmp'],
deploy: [
'deploy/docs',
'deploy/code',
docsScriptFolder + '/functions/html'
codeScriptFolder + '/deploy',
docsScriptFolder + '/deploy',
docsScriptFolder + '/functions/content'
]
},
@@ -372,7 +373,7 @@ module.exports = function(grunt) {
{
cwd: 'build',
src: '**',
dest: 'deploy/code/' + deployVersion + '/',
dest: codeScriptFolder + '/deploy/' + deployVersion + '/',
expand: true
}
]
@@ -382,19 +383,19 @@ module.exports = function(grunt) {
// The source files are needed by the embedded examples in the docs app.
{
src: ['build/angular*.{js,js.map,min.js}', 'build/sitemap.xml'],
dest: 'deploy/docs/',
dest: docsScriptFolder + '/deploy/',
expand: true,
flatten: true
},
{
cwd: 'build/docs',
src: ['**', '!ptore2e/**', '!index*.html'],
dest: 'deploy/docs/',
dest: docsScriptFolder + '/deploy/',
expand: true
},
{
src: 'build/docs/index-production.html',
dest: 'deploy/docs/index.html'
dest: docsScriptFolder + '/deploy/index.html'
},
{
src: 'build/docs/index-production.html',
@@ -403,7 +404,7 @@ module.exports = function(grunt) {
{
cwd: 'build/docs',
src: 'partials/**',
dest: docsScriptFolder + '/functions/content',
dest: docsScriptFolder + '/functions/content/',
expand: true
}
]
@@ -517,7 +518,6 @@ module.exports = function(grunt) {
]);
grunt.registerTask('prepareDeploy', [
'copy:deployFirebaseCode',
'firebaseDocsJsonForCI',
'copy:deployFirebaseDocs'
]);
grunt.registerTask('default', ['package']);
+1 -1
View File
@@ -1,6 +1,6 @@
The MIT License
Copyright (c) 2010-2020 Google, Inc. http://angularjs.org
Copyright (c) 2010-2020 Google LLC. http://angularjs.org
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
+6 -5
View File
@@ -55,11 +55,12 @@ component in an interconnected way like a well-oiled machine. AngularJS is JavaS
and done right. (Well it is not really MVC, read on, to understand what this means.)
#### MVC, no, MV* done the right way!
MVC, short for Model-View-Controller, is a design pattern, i.e. how the code should be organized and
how the different parts of an application separated for proper readability and debugging. Model is
the data and the database. View is the user interface and what the user sees. Controller is the main
link between Model and View. These are the three pillars of major programming frameworks present on
the market today. On the other hand AngularJS works on MV*, short for Model-View-_Whatever_. The
[MVC](https://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller), short for
Model-View-Controller, is a design pattern, i.e. how the code should be organized and how the
different parts of an application separated for proper readability and debugging. Model is the data
and the database. View is the user interface and what the user sees. Controller is the main link
between Model and View. These are the three pillars of major programming frameworks present on the
market today. On the other hand AngularJS works on MV*, short for Model-View-_Whatever_. The
_Whatever_ is AngularJS's way of telling that you may create any kind of linking between the Model
and the View here.
+20
View File
@@ -0,0 +1,20 @@
# Security Policy
## Supported Versions
| Version | Supported | Status | Comments |
| ----------- | ------------------ | --------------------- | ------------------------------------ |
| 1.8.x | :white_check_mark: | Long Term Support | See [Long Term Support policy][0] |
| 1.3.x-1.7.x | :x: | | |
| 1.2.x | :warning: | Security patches only | Last version to provide IE 8 support |
| <1.2.0 | :x: | | |
## Reporting a Vulnerability
Email us at [security@angularjs.org](mailto:security@angularjs.org) to report any potential security issues in AngularJS.
Please [use the latest AngularJS possible](https://docs.angularjs.org/guide/security#use-the-latest-angularjs-possible)
and keep in mind the guidance around AngularJS'
[expression language](https://docs.angularjs.org/guide/security#angularjs-templates-and-expressions).
[0]: https://docs.angularjs.org/misc/version-support-status#long-term-support
+2 -2
View File
@@ -55,7 +55,7 @@ angular.module('examples', [])
return function(url, newWindow, fields) {
/**
* If the form posts to target="_blank", pop-up blockers can cause it not to work.
* If a user choses to bypass pop-up blocker one time and click the link, they will arrive at
* If a user chooses to bypass pop-up blocker one time and click the link, they will arrive at
* a new default plnkr, not a plnkr with the desired template. Given this undesired behavior,
* some may still want to open the plnk in a new window by opting-in via ctrl+click. The
* newWindow param allows for this possibility.
@@ -74,7 +74,7 @@ angular.module('examples', [])
}])
.factory('createCopyrightNotice', function() {
var COPYRIGHT = 'Copyright ' + (new Date()).getFullYear() + ' Google Inc. All Rights Reserved.\n'
var COPYRIGHT = 'Copyright ' + (new Date()).getFullYear() + ' Google LLC. All Rights Reserved.\n'
+ 'Use of this source code is governed by an MIT-style license that\n'
+ 'can be found in the LICENSE file at http://angular.io/license';
var COPYRIGHT_JS_CSS = '\n\n/*\n' + COPYRIGHT + '\n*/';
+4 -4
View File
@@ -47,13 +47,13 @@ module.exports = function generateKeywordsProcessor(log, readFilesProcessor) {
}
areasToSearch = _.indexBy(this.areasToSearch);
propertiesToIgnore = _.indexBy(this.propertiesToIgnore);
areasToSearch = _.keyBy(this.areasToSearch);
propertiesToIgnore = _.keyBy(this.propertiesToIgnore);
log.debug('Properties to ignore', propertiesToIgnore);
docTypesToIgnore = _.indexBy(this.docTypesToIgnore);
docTypesToIgnore = _.keyBy(this.docTypesToIgnore);
log.debug('Doc types to ignore', docTypesToIgnore);
var ignoreWordsMap = _.indexBy(wordsToIgnore);
var ignoreWordsMap = _.keyBy(wordsToIgnore);
// If the title contains a name starting with ng, e.g. "ngController", then add the module name
// without the ng to the title text, e.g. "controller".
+1 -1
View File
@@ -224,7 +224,7 @@ module.exports = function generatePagesDataProcessor(log) {
.map(function(doc) {
return _.pick(doc, ['name', 'area', 'path']);
})
.indexBy('path')
.keyBy('path')
.value();
docs.push({
+4 -4
View File
@@ -13,11 +13,11 @@ module.exports = function generateVersionDocProcessor(gitData) {
return {
$runAfter: ['generatePagesDataProcessor'],
$runBefore: ['rendering-docs'],
// the blacklist is to remove rogue builds that are in the npm repository but not on code.angularjs.org
blacklist: ['1.3.4-build.3588'],
// Remove rogue builds that are in the npm repository but not on code.angularjs.org
ignoredBuilds: ['1.3.4-build.3588'],
$process: function(docs) {
var blacklist = this.blacklist;
var ignoredBuilds = this.ignoredBuilds;
var currentVersion = require('../../../build/version.json');
var output = exec('yarn info angular versions --json', { silent: true }).stdout.split('\n')[0];
var allVersions = processAllVersionsResponse(JSON.parse(output).data);
@@ -57,7 +57,7 @@ module.exports = function generateVersionDocProcessor(gitData) {
versions = versions
.filter(function(versionStr) {
return blacklist.indexOf(versionStr) === -1;
return ignoredBuilds.indexOf(versionStr) === -1;
})
.map(function(versionStr) {
return semver.parse(versionStr);
+1 -1
View File
@@ -5,7 +5,7 @@
Occurs when an expression is trying to assign a value to a non-assignable expression.
This can happen if the left side of an assigment is not a valid reference to a variable
This can happen if the left side of an assignment is not a valid reference to a variable
or property. E.g. In the following snippet `1+2` is not assignable.
```
+3 -3
View File
@@ -3,7 +3,7 @@
@fullName Invalid matcher (only string patterns and RegExp instances are supported)
@description
Please see {@link $sceDelegateProvider#resourceUrlWhitelist
$sceDelegateProvider.resourceUrlWhitelist} and {@link
$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist} for the
Please see {@link $sceDelegateProvider#trustedResourceUrlList
$sceDelegateProvider.trustedResourceUrlList} and {@link
$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList} for the
list of acceptable items.
+2 -2
View File
@@ -15,8 +15,8 @@ By default, only URLs that belong to the same origin are trusted. These are urls
The {@link ng.directive:ngInclude ngInclude} directive and {@link guide/directive directives} that specify a `templateUrl` require a trusted resource URL.
To load templates from other domains and/or protocols, either adjust the {@link
ng.$sceDelegateProvider#resourceUrlWhitelist whitelist}/ {@link
ng.$sceDelegateProvider#resourceUrlBlacklist blacklist} or wrap the URL with a call to {@link
ng.$sceDelegateProvider#trustedResourceUrlList trusted resource URL list}/ {@link
ng.$sceDelegateProvider#bannedResourceUrlList banned resource URL list} or wrap the URL with a call to {@link
ng.$sce#trustAsResourceUrl $sce.trustAsResourceUrl}.
**Note**: The browser's [Same Origin
+3 -3
View File
@@ -3,7 +3,7 @@
@fullName The sequence *** is not a valid pattern wildcard
@description
The strings in {@link $sceDelegateProvider#resourceUrlWhitelist
$sceDelegateProvider.resourceUrlWhitelist} and {@link
$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist} may not
The strings in {@link $sceDelegateProvider#trustedResourceUrlList
$sceDelegateProvider.trustedResourceUrlList} and {@link
$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList} may not
contain the undefined sequence `***`. Only `*` and `**` wildcard patterns are defined.
+3 -2
View File
@@ -327,7 +327,7 @@ The default CSS for `ngHide`, the inverse method to `ngShow`, makes ngAria redun
<h2><span id="ngclick">ngClick</span> and <span id="ngdblclick">ngDblclick</span></h2>
If `ng-click` or `ng-dblclick` is encountered, ngAria will add `tabindex="0"` to any element not in
a node blacklist:
the list of built in aria nodes:
* Button
* Anchor
@@ -337,7 +337,8 @@ a node blacklist:
* Details/Summary
To fix widespread accessibility problems with `ng-click` on `div` elements, ngAria will
dynamically bind a keypress event by default as long as the element isn't in the node blacklist.
dynamically bind a keypress event by default as long as the element isn't in a node from the list of
built in aria nodes.
You can turn this functionality on or off with the `bindKeypress` configuration option.
ngAria will also add the `button` role to communicate to users of assistive technologies. This can
+16 -14
View File
@@ -276,15 +276,16 @@ statement.
**Due to [6ccbfa](https://github.com/angular/angular.js/commit/6ccbfa65d60a3dc396d0cf6da21b993ad74653fd)**,
the `xlink:href` security context for SVG's `a` and `image` elements has been lowered.
In the unlikely case that an app relied on `RESOURCE_URL` whitelisting for the
In the unlikely case that an app relied on `RESOURCE_URL` trusted list for the
purpose of binding to the `xlink:href` property of SVG's `<a>` or `<image>`
elements and if the values do not pass the regular URL sanitization, they will
break.
To fix this you need to ensure that the values used for binding to the affected
`xlink:href` contexts are considered safe URLs, e.g. by whitelisting them in
`$compileProvider`'s `aHrefSanitizationWhitelist` (for `<a>` elements) or
`imgSrcSanitizationWhitelist` (for `<image>` elements).
`xlink:href` contexts are considered safe URLs, e.g. by trusting them in
`$compileProvider`'s `aHrefSanitizationWhitelist` (called `aHrefSanitizationTrustedUrlList` form
1.8.1 onwards) (for `<a>` elements) or `imgSrcSanitizationWhitelist` (called
`imgSrcSanitizationTrustedUrlList` from 1.8.1 onwards) (for `<image>` elements).
<hr />
@@ -1309,7 +1310,7 @@ running at `https://docs.angularjs.org` then the following will fail:
By default, only URLs with the same domain and protocol as the application document are considered
safe in the `RESOURCE_URL` context. To use URLs from other domains and/or protocols, you may either
whitelist them or wrap them into a trusted value by calling `$sce.trustAsResourceUrl(url)`.
add them to the trusted source URL list or wrap them into a trusted value by calling `$sce.trustAsResourceUrl(url)`.
<hr />
<minor />
@@ -1387,7 +1388,7 @@ $http.json('other/trusted/url', {jsonpCallbackParam: 'cb'});
all JSONP requests now require the URL to be trusted as a resource URL. There are two approaches to
trust a URL:
1. **Whitelisting with the `$sceDelegateProvider.resourceUrlWhitelist()` method.**
1. **Setting trusted resource URLs with the `$sceDelegateProvider.resourceUrlWhitelist()` (called `trustedResourceUrlList()` from 1.8.1 onwards) method.**
You configure this list in a module configuration block:
```js
@@ -2207,7 +2208,7 @@ service does not have access to the resource in order to sanitize it.
Similarly, due to [234053fc](https://github.com/angular/angular.js/commit/234053fc9ad90e0d05be7e8359c6af66be94c094),
the `$sanitize` service will now also remove instances of the `usemap` attribute from any elements
passed to it. This attribute is used to reference another element by `name` or `id`. Since the
`name` and `id` attributes are already blacklisted, a sanitized `usemap` attribute could only
`name` and `id` attributes are already banned, a sanitized `usemap` attribute could only
reference unsanitized content, which is a security risk.
Due to [98c2db7f](https://github.com/angular/angular.js/commit/98c2db7f9c2d078a408576e722407d518c7ee10a),
@@ -2647,8 +2648,8 @@ $scope.findTemplate = function(templateName) {
};
```
To migrate, either cache the result of `trustAsResourceUrl()`, or put the template url in the resource
whitelist in the `config()` function:
To migrate, either cache the result of `trustAsResourceUrl()`, or put the template url in the trusted resource
URL list in the `config()` function:
After:
@@ -2662,7 +2663,8 @@ $scope.findTemplate = function(templateName) {
return templateCache[templateName];
};
// Alternatively, use `$sceDelegateProvider.resourceUrlWhitelist()`, which means you don't
// Alternatively, use `$sceDelegateProvider.resourceUrlWhitelist()` (called
// `trustedResourceUrlList()` from 1.8.1 onwards), which means you don't
// have to use `$sce.trustAsResourceUrl()` at all:
angular.module('myApp', []).config(function($sceDelegateProvider) {
@@ -3353,7 +3355,7 @@ below should still apply, but you may want to consult the
<li>{@link guide/migration#directive-priority Directive priority}</li>
<li>{@link guide/migration#ngscenario ngScenario}</li>
<li>{@link guide/migration#nginclude-and-ngview-replace-its-entire-element-on-update ngInclude and ngView replace its entire element on update}</li>
<li>{@link guide/migration#urls-are-now-sanitized-against-a-whitelist URLs are now sanitized against a whitelist}</li>
<li>{@link guide/migration#urls-are-now-sanitized-against-a-trusted-uri-matcher URLs are now sanitized against a trusted URI matcher}</li>
<li>{@link guide/migration#isolate-scope-only-exposed-to-directives-with-scope-property Isolate scope only exposed to directives with <code>scope</code> property}</li>
<li>{@link guide/migration#change-to-interpolation-priority Change to interpolation priority}</li>
<li>{@link guide/migration#underscore-prefixed-suffixed-properties-are-non-bindable Underscore-prefixed/suffixed properties are non-bindable}</li>
@@ -3843,10 +3845,10 @@ See [7d69d52a](https://github.com/angular/angular.js/commit/7d69d52acff8578e0f7d
[aa2133ad](https://github.com/angular/angular.js/commit/aa2133ad818d2e5c27cbd3933061797096356c8a).
### URLs are now sanitized against a whitelist
### URLs are now sanitized against a trusted URI matcher
A whitelist configured via `$compileProvider` can be used to configure what URLs are considered safe.
By default all common protocol prefixes are whitelisted including `data:` URIs with mime types `image/*`.
A trusted URI matcher configured via `$compileProvider` can be used to configure what URLs are considered safe.
By default all common protocol prefixes are trusted including `data:` URIs with mime types `image/*`.
This change shouldn't impact apps that don't contain malicious image links.
See [1adf29af](https://github.com/angular/angular.js/commit/1adf29af13890d61286840177607edd552a9df97),
+15 -1
View File
@@ -7,7 +7,11 @@
This page describes the support status of the significant versions of AngularJS.
<div class="alert alert-info">
On July 1, 2018 AngularJS entered a 3 year Long Term Support period.
On July 1, 2018 AngularJS entered a 3 year Long Term Support period.<br />
<br />
_**UPDATE (2020-07-27):**_<br />
_Due to COVID-19 affecting teams migrating from AngularJS, we are extending the LTS by six months
(until December 31, 2021)._
</div>
Any version branch not shown in the following table (e.g. 1.7.x) is no longer being developed.
@@ -42,6 +46,16 @@ We now focus exclusively on providing fixes to bugs that satisfy at least one of
AngularJS 1.2.x will get a new version if and only if a new severe security issue is discovered.
### Blog Post
You can read more about these plans in our [blog post announcement](https://blog.angular.io/stable-angularjs-and-long-term-support-7e077635ee9c).
### Extended Long Term Support
If you need support for AngularJS beyond December 2021, you should consider:
* [XLTS.dev](https://xlts.dev/angularjs)
+5 -16
View File
@@ -7,10 +7,12 @@ var spawn = require('npm-run').spawn;
var CSP_CSS_HEADER = '/* Include this file in your html if you are using the CSP mode. */\n\n';
const docsScriptFolder = 'scripts/docs.angularjs.org-firebase';
module.exports = {
codeScriptFolder: 'scripts/code.angularjs.org-firebase',
docsScriptFolder: 'scripts/docs.angularjs.org-firebase',
startKarma: function(config, singleRun, done) {
var browsers = grunt.option('browsers');
var reporters = grunt.option('reporters');
@@ -301,19 +303,6 @@ module.exports = {
}
next();
};
},
docsScriptFolder,
// Our Firebase projects are in subfolders, but the firebase tool expects them in the root,
// so we need to modify the upload folder path and copy the file into the root
firebaseDocsJsonForCI: function() {
var fileName = docsScriptFolder + '/firebase.json';
var json = grunt.file.readJSON(fileName);
(json.hosting || (json.hosting = {})).public = 'deploy/docs';
(json.functions || (json.functions = {})).source = docsScriptFolder + '/functions';
grunt.file.write('firebase.json', JSON.stringify(json));
}
};
+8 -8
View File
@@ -1,7 +1,7 @@
{
"name": "angular",
"license": "MIT",
"branchVersion": "^1.7.0",
"branchVersion": "^1.8.0",
"branchPattern": "1.8.*",
"distTag": "next",
"repository": {
@@ -27,7 +27,7 @@
"changez": "^2.1.1",
"changez-angular": "^2.1.2",
"cheerio": "^0.17.0",
"commitizen": "^2.3.0",
"commitizen": "^4.2.4",
"commitplease": "^2.7.10",
"cross-spawn": "^4.0.0",
"cz-conventional-changelog": "1.1.4",
@@ -35,10 +35,10 @@
"dgeni-packages": "^0.26.5",
"eslint-plugin-promise": "^3.6.0",
"event-stream": "~3.1.0",
"firebase-tools": "^8.3.0",
"firebase-tools": "^9.3.0",
"glob": "^6.0.1",
"google-code-prettify": "1.0.1",
"grunt": "^1.0.1",
"grunt": "^1.4.1",
"grunt-bump": "^0.8.0",
"grunt-cli": "^1.2.0",
"grunt-contrib-clean": "^1.0.0",
@@ -55,7 +55,7 @@
"gulp-foreach": "0.0.1",
"gulp-rename": "^1.2.0",
"gulp-sourcemaps": "^1.2.2",
"gulp-uglify": "^1.0.1",
"gulp-uglify": "^3.0.2",
"gulp-util": "^3.0.1",
"jasmine-core": "^2.8.0",
"jasmine-node": "^2.0.0",
@@ -76,7 +76,7 @@
"karma-script-launcher": "1.0.0",
"karma-spec-reporter": "0.0.32",
"load-grunt-tasks": "^3.5.0",
"lodash": "~2.4.1",
"lodash": "~4.17.21",
"log4js": "^0.6.27",
"lunr": "^0.7.2",
"marked": "~0.3.0",
@@ -89,7 +89,7 @@
"q-io": "^1.10.9",
"qq": "^0.3.5",
"rewire": "~2.1.0",
"sauce-connect": "https://saucelabs.com/downloads/sc-4.5.1-linux.tar.gz",
"sauce-connect": "https://saucelabs.com/downloads/sc-4.6.2-linux.tar.gz",
"sax": "^1.1.1",
"selenium-webdriver": "^4.0.0-alpha.1",
"semver": "^5.4.1",
@@ -105,7 +105,7 @@
"//1": "`natives@1.1.0` does not work with Node.js 10.x on Windows 10",
"//2": "(E.g. see https://github.com/gulpjs/gulp/issues/2162 and https://github.com/nodejs/node/issues/25132.)",
"natives": "1.1.6",
"//3": "`graceful-fs` needs to be pinned to support gulp 3, on Node v12+",
"//3": "`graceful-fs` needs to be pinned to support gulp 3, on Node v12+",
"graceful-fs": "^4.2.3"
},
"commitplease": {
+4 -4
View File
@@ -10,13 +10,13 @@ config.sauceKey = process.env.SAUCE_ACCESS_KEY;
config.multiCapabilities = [
capabilitiesForSauceLabs({
browserName: 'chrome',
platform: 'OS X 10.14',
version: '81'
platform: 'OS X 10.15',
version: '91'
}),
capabilitiesForSauceLabs({
browserName: 'firefox',
platform: 'OS X 10.14',
version: '76'
platform: 'OS X 10.15',
version: '85'
})
];
@@ -2,7 +2,6 @@
const functions = require('firebase-functions');
const {Storage} = require('@google-cloud/storage');
const path = require('path');
const storage = new Storage();
const gcsBucketId = `${process.env.GCLOUD_PROJECT}.appspot.com`;
@@ -41,13 +40,13 @@ function sendStoredFile(request, response) {
return getDirectoryListing('/').catch(sendErrorResponse);
}
downloadSource = path.join.apply(null, filePathSegments);
downloadSource = filePathSegments.join('/');
downloadAndSend(downloadSource).catch(error => {
if (isDocsPath && error.code === 404) {
fileName = 'index.html';
filePathSegments = [version, 'docs', fileName];
downloadSource = path.join.apply(null, filePathSegments);
downloadSource = filePathSegments.join('/');
return downloadAndSend(downloadSource);
}
File diff suppressed because it is too large Load Diff
@@ -2,12 +2,12 @@
"name": "functions-firebase-code.angularjs.org",
"description": "Cloud Functions to serve files from gcs to code.angularjs.org",
"engines": {
"node": "10"
"node": "14"
},
"dependencies": {
"@google-cloud/storage": "^4.7.0",
"firebase-admin": "^8.10.0",
"firebase-functions": "^3.6.0"
"@google-cloud/storage": "^5.8.5",
"firebase-admin": "^9.9.0",
"firebase-functions": "^3.14.1"
},
"private": true
}
File diff suppressed because it is too large Load Diff
@@ -1,15 +1,15 @@
Firebase for code.angularjs.org
===============================
This folder contains the Google Firebase scripts for the code.angularjs.org setup.
This folder contains the Google Firebase scripts for the `code.angularjs.org` setup.
firebase.json contains the rewrite rules that route every subdirectory request to the cloud function
in functions/index.js that serves the docs from the Firebase Google Cloud Storage bucket.
`firebase.json` contains the rewrite rules that route every subdirectory request to the cloud function in `functions/index.js` that serves the docs from the Firebase Google Cloud Storage bucket.
functions/index.js also contains a rule that deletes outdated build zip files
from the snapshot and snapshot-stable folders when new zip files are uploaded.
`functions/index.js` also contains a rule that deletes outdated build zip files from the snapshot and snapshot-stable folders when new zip files are uploaded.
The deployment to the Google Cloud Storage bucket happens automatically via CI.
See the .circleci/config.yml file in the repository root.
See `/scripts/docs.angularjs.org-firebase/readme.firebase.code.md` for the Firebase deployment to `docs.angularjs.org`.
See /readme.firebase.docs.md for the firebase deployment to docs.angularjs.org
# Continuous integration
The code is deployed to Google Firebase hosting and functions as well as to the Google Cloud Storage bucket automatically via CI.
See `.circleci/config.yml` for the complete deployment config and build steps.
@@ -1,6 +1,6 @@
{
"hosting": {
"public": "../../deploy/docs",
"public": "deploy",
"redirects": [
{
"source": "/error/:namespace\\::error*",
@@ -1,21 +1,24 @@
{
"name": "functions",
"description": "Cloud Functions for Firebase",
"engines": {
"node": "14"
},
"scripts": {
"lint": "eslint .",
"serve": "firebase serve --only functions",
"shell": "firebase experimental:functions:shell",
"serve": "firebase emulators:start --only functions",
"shell": "firebase functions:shell",
"start": "npm run shell",
"deploy": "firebase deploy --only functions",
"logs": "firebase functions:log"
},
"dependencies": {
"firebase-admin": "^8.10.0",
"firebase-functions": "^3.6.0"
"firebase-admin": "^9.9.0",
"firebase-functions": "^3.14.1"
},
"devDependencies": {
"eslint": "^4.12.0",
"eslint-plugin-promise": "^3.6.0"
"eslint": "^7.28.0",
"eslint-plugin-promise": "^5.1.0"
},
"private": true
}
File diff suppressed because it is too large Load Diff
@@ -1,28 +1,26 @@
Firebase for docs.angularjs.org
===============================
This folder contains the Google Firebase scripts for the `docs.angularjs.org` setup.
See `/scripts/code.angularjs.org-firebase/readme.firebase.code.md` for the Firebase deployment to `code.angularjs.org`.
# Continuous integration
The docs are deployed to Google Firebase hosting via a CI deployment config, which expects
firebase.json to be in the repository root, which is done by a Grunt task
(`firebaseDocsJsonForCI` which is included in `prepareDeploy`).
The `firebaseDocsJsonForCI` task modifies the paths in the `firebase.json` and copies it to the
repository root.
The docs are deployed to Google Firebase hosting and functions automatically via CI.
See .circleci/config.yml for the complete deployment config and build steps.
See `.circleci/config.yml` for the complete deployment config and build steps.
# Serving locally:
- Run `cd scripts/docs.angularjs.org-firebase`.
This changes the current working directory.
- Run `yarn grunt package`.
This builds the files that will be deployed.
- Run `yarn grunt prepareDeploy`.
This copies docs content files into deploy/docs and the partials for Search Engine AJAX
Crawling into ./functions/content.
It also moves the firebase.json file to the root folder, where the firebase-cli expects it
This copies docs content files into `./deploy` and the partials for Search Engine AJAX Crawling into `./functions/content`.
- Run `firebase serve --only functions,hosting`
Creates a server at localhost:5000 that serves from deploy/docs and uses the local function
See /scripts/code.angularjs.org-firebase/readme.firebase.code.md for the firebase deployment to
code.angularjs.org
- Run `$(yarn bin)/firebase emulators:start` (or `..\..\node_modules\.bin\firebase emulators:start` on Windows).
Creates a server at http://localhost:5000 that serves from `./deploy` and uses the local function.
+1 -1
View File
@@ -1532,7 +1532,7 @@ function allowAutoBootstrap(document) {
link.href = src.value;
if (document.location.origin === link.origin) {
// Same-origin resources are always allowed, even for non-whitelisted schemes.
// Same-origin resources are always allowed, even for banned URL schemes.
return true;
}
// Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
+1 -1
View File
@@ -1,6 +1,6 @@
/**
* @license AngularJS v"NG_VERSION_FULL"
* (c) 2010-2020 Google, Inc. http://angularjs.org
* (c) 2010-2020 Google LLC. http://angularjs.org
* License: MIT
*/
(function(window) {
+1 -1
View File
@@ -1,6 +1,6 @@
/**
* @license AngularJS v"NG_VERSION_FULL"
* (c) 2010-2020 Google, Inc. http://angularjs.org
* (c) 2010-2020 Google LLC. http://angularjs.org
* License: MIT
*/
'use strict';
+1 -1
View File
@@ -1,6 +1,6 @@
/**
* @license AngularJS v"NG_VERSION_FULL"
* (c) 2010-2020 Google, Inc. http://angularjs.org
* (c) 2010-2020 Google LLC. http://angularjs.org
* License: MIT
*/
(function(window, angular) {
+72 -30
View File
@@ -1106,8 +1106,8 @@
*
* Based on the context, other options may exist to mark a value as trusted / configure the behavior
* of {@link ng.$sce}. For example, to restrict the `RESOURCE_URL` context to specific origins, use
* the {@link $sceDelegateProvider#resourceUrlWhitelist resourceUrlWhitelist()}
* and {@link $sceDelegateProvider#resourceUrlBlacklist resourceUrlBlacklist()}.
* the {@link $sceDelegateProvider#trustedResourceUrlList trustedResourceUrlList()}
* and {@link $sceDelegateProvider#bannedResourceUrlList bannedResourceUrlList()}.
*
* {@link ng.$sce#what-trusted-context-types-are-supported- Find out more about the different context types}.
*
@@ -1116,7 +1116,7 @@
* By default, `$sce` will throw an error if it detects untrusted HTML content, and will not bind the
* content.
* However, if you include the {@link ngSanitize ngSanitize module}, it will try to sanitize the
* potentially dangerous HTML, e.g. strip non-whitelisted tags and attributes when binding to
* potentially dangerous HTML, e.g. strip non-trusted tags and attributes when binding to
* `innerHTML`.
*
* @example
@@ -1698,30 +1698,81 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
/**
* @ngdoc method
* @name $compileProvider#aHrefSanitizationWhitelist
* @name $compileProvider#aHrefSanitizationTrustedUrlList
* @kind function
*
* @description
* Retrieves or overrides the default regular expression that is used for whitelisting of safe
* Retrieves or overrides the default regular expression that is used for determining trusted safe
* urls during a[href] sanitization.
*
* The sanitization is a security measure aimed at preventing XSS attacks via html links.
*
* Any url about to be assigned to a[href] via data-binding is first normalized and turned into
* an absolute url. Afterwards, the url is matched against the `aHrefSanitizationWhitelist`
* an absolute url. Afterwards, the url is matched against the `aHrefSanitizationTrustedUrlList`
* regular expression. If a match is found, the original url is written into the dom. Otherwise,
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
*
* @param {RegExp=} regexp New regexp to whitelist urls with.
* @param {RegExp=} regexp New regexp to trust urls with.
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
* chaining otherwise.
*/
this.aHrefSanitizationWhitelist = function(regexp) {
this.aHrefSanitizationTrustedUrlList = function(regexp) {
if (isDefined(regexp)) {
$$sanitizeUriProvider.aHrefSanitizationWhitelist(regexp);
$$sanitizeUriProvider.aHrefSanitizationTrustedUrlList(regexp);
return this;
} else {
return $$sanitizeUriProvider.aHrefSanitizationWhitelist();
return $$sanitizeUriProvider.aHrefSanitizationTrustedUrlList();
}
};
/**
* @ngdoc method
* @name $compileProvider#aHrefSanitizationWhitelist
* @kind function
*
* @deprecated
* sinceVersion="1.8.1"
*
* This method is deprecated. Use {@link $compileProvider#aHrefSanitizationTrustedUrlList
* aHrefSanitizationTrustedUrlList} instead.
*/
Object.defineProperty(this, 'aHrefSanitizationWhitelist', {
get: function() {
return this.aHrefSanitizationTrustedUrlList;
},
set: function(value) {
this.aHrefSanitizationTrustedUrlList = value;
}
});
/**
* @ngdoc method
* @name $compileProvider#imgSrcSanitizationTrustedUrlList
* @kind function
*
* @description
* Retrieves or overrides the default regular expression that is used for determining trusted safe
* urls during img[src] sanitization.
*
* The sanitization is a security measure aimed at prevent XSS attacks via html links.
*
* Any url about to be assigned to img[src] via data-binding is first normalized and turned into
* an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationTrustedUrlList`
* regular expression. If a match is found, the original url is written into the dom. Otherwise,
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
*
* @param {RegExp=} regexp New regexp to trust urls with.
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
* chaining otherwise.
*/
this.imgSrcSanitizationTrustedUrlList = function(regexp) {
if (isDefined(regexp)) {
$$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(regexp);
return this;
} else {
return $$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList();
}
};
@@ -1731,29 +1782,20 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
* @name $compileProvider#imgSrcSanitizationWhitelist
* @kind function
*
* @description
* Retrieves or overrides the default regular expression that is used for whitelisting of safe
* urls during img[src] sanitization.
* @deprecated
* sinceVersion="1.8.1"
*
* The sanitization is a security measure aimed at prevent XSS attacks via html links.
*
* Any url about to be assigned to img[src] via data-binding is first normalized and turned into
* an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationWhitelist`
* regular expression. If a match is found, the original url is written into the dom. Otherwise,
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
*
* @param {RegExp=} regexp New regexp to whitelist urls with.
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
* chaining otherwise.
* This method is deprecated. Use {@link $compileProvider#imgSrcSanitizationTrustedUrlList
* imgSrcSanitizationTrustedUrlList} instead.
*/
this.imgSrcSanitizationWhitelist = function(regexp) {
if (isDefined(regexp)) {
$$sanitizeUriProvider.imgSrcSanitizationWhitelist(regexp);
return this;
} else {
return $$sanitizeUriProvider.imgSrcSanitizationWhitelist();
Object.defineProperty(this, 'imgSrcSanitizationWhitelist', {
get: function() {
return this.imgSrcSanitizationTrustedUrlList;
},
set: function(value) {
this.imgSrcSanitizationTrustedUrlList = value;
}
};
});
/**
* @ngdoc method
+3 -3
View File
@@ -13,9 +13,9 @@
* By default, the template URL is restricted to the same domain and protocol as the
* application document. This is done by calling {@link $sce#getTrustedResourceUrl
* $sce.getTrustedResourceUrl} on it. To load templates from other domains or protocols
* you may either {@link ng.$sceDelegateProvider#resourceUrlWhitelist whitelist them} or
* {@link $sce#trustAsResourceUrl wrap them} as trusted values. Refer to AngularJS's {@link
* ng.$sce Strict Contextual Escaping}.
* you may either add them to your {@link ng.$sceDelegateProvider#trustedResourceUrlList trusted
* resource URL list} or {@link $sce#trustAsResourceUrl wrap them} as trusted values. Refer to
* AngularJS's {@link ng.$sce Strict Contextual Escaping}.
*
* In addition, the browser's
* [Same Origin Policy](https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest)
+34 -14
View File
@@ -388,7 +388,7 @@ function $HttpProvider() {
/**
* @ngdoc property
* @name $httpProvider#xsrfWhitelistedOrigins
* @name $httpProvider#xsrfTrustedOrigins
* @description
*
* Array containing URLs whose origins are trusted to receive the XSRF token. See the
@@ -402,7 +402,7 @@ function $HttpProvider() {
* Examples: `http://example.com`, `https://api.example.com:9876`
*
* <div class="alert alert-warning">
* It is not possible to whitelist specific URLs/paths. The `path`, `query` and `fragment` parts
* It is not possible to trust specific URLs/paths. The `path`, `query` and `fragment` parts
* of a URL will be ignored. For example, `https://foo.com/path/bar?query=baz#fragment` will be
* treated as `https://foo.com`, meaning that **all** requests to URLs starting with
* `https://foo.com/` will include the XSRF token.
@@ -413,9 +413,9 @@ function $HttpProvider() {
* ```js
* // App served from `https://example.com/`.
* angular.
* module('xsrfWhitelistedOriginsExample', []).
* module('xsrfTrustedOriginsExample', []).
* config(['$httpProvider', function($httpProvider) {
* $httpProvider.xsrfWhitelistedOrigins.push('https://api.example.com');
* $httpProvider.xsrfTrustedOrigins.push('https://api.example.com');
* }]).
* run(['$http', function($http) {
* // The XSRF token will be sent.
@@ -426,7 +426,27 @@ function $HttpProvider() {
* }]);
* ```
*/
var xsrfWhitelistedOrigins = this.xsrfWhitelistedOrigins = [];
var xsrfTrustedOrigins = this.xsrfTrustedOrigins = [];
/**
* @ngdoc property
* @name $httpProvider#xsrfWhitelistedOrigins
* @description
*
* @deprecated
* sinceVersion="1.8.1"
*
* This property is deprecated. Use {@link $httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins}
* instead.
*/
Object.defineProperty(this, 'xsrfWhitelistedOrigins', {
get: function() {
return this.xsrfTrustedOrigins;
},
set: function(origins) {
this.xsrfTrustedOrigins = origins;
}
});
this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector', '$sce',
function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector, $sce) {
@@ -454,7 +474,7 @@ function $HttpProvider() {
/**
* A function to check request URLs against a list of allowed origins.
*/
var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfWhitelistedOrigins);
var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfTrustedOrigins);
/**
* @ngdoc service
@@ -828,16 +848,16 @@ function $HttpProvider() {
* The header will &mdash; by default &mdash; **not** be set for cross-domain requests. This
* prevents unauthorized servers (e.g. malicious or compromised 3rd-party APIs) from gaining
* access to your users' XSRF tokens and exposing them to Cross Site Request Forgery. If you
* want to, you can whitelist additional origins to also receive the XSRF token, by adding them
* to {@link ng.$httpProvider#xsrfWhitelistedOrigins xsrfWhitelistedOrigins}. This might be
* want to, you can trust additional origins to also receive the XSRF token, by adding them
* to {@link ng.$httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins}. This might be
* useful, for example, if your application, served from `example.com`, needs to access your API
* at `api.example.com`.
* See {@link ng.$httpProvider#xsrfWhitelistedOrigins $httpProvider.xsrfWhitelistedOrigins} for
* See {@link ng.$httpProvider#xsrfTrustedOrigins $httpProvider.xsrfTrustedOrigins} for
* more details.
*
* <div class="alert alert-danger">
* **Warning**<br />
* Only whitelist origins that you have control over and make sure you understand the
* Only trusted origins that you have control over and make sure you understand the
* implications of doing so.
* </div>
*
@@ -964,8 +984,8 @@ function $HttpProvider() {
<file name="script.js">
angular.module('httpExample', [])
.config(['$sceDelegateProvider', function($sceDelegateProvider) {
// We must whitelist the JSONP endpoint that we are using to show that we trust it
$sceDelegateProvider.resourceUrlWhitelist([
// We must add the JSONP endpoint that we are using to the trusted list to show that we trust it
$sceDelegateProvider.trustedResourceUrlList([
'self',
'https://angularjs.org/**'
]);
@@ -1222,8 +1242,8 @@ function $HttpProvider() {
*
* Note that, since JSONP requests are sensitive because the response is given full access to the browser,
* the url must be declared, via {@link $sce} as a trusted resource URL.
* You can trust a URL by adding it to the whitelist via
* {@link $sceDelegateProvider#resourceUrlWhitelist `$sceDelegateProvider.resourceUrlWhitelist`} or
* You can trust a URL by adding it to the trusted resource URL list via
* {@link $sceDelegateProvider#trustedResourceUrlList `$sceDelegateProvider.trustedResourceUrlList`} or
* by explicitly trusting the URL via {@link $sce#trustAsResourceUrl `$sce.trustAsResourceUrl(url)`}.
*
* You should avoid generating the URL for the JSONP request from user provided data.
+2 -2
View File
@@ -1900,7 +1900,7 @@ function $ParseProvider() {
var useInputs = parsedExpression.inputs && !exp.inputs;
// Propogate the literal/inputs/constant attributes
// Propagate the literal/inputs/constant attributes
// ... but not oneTime since we are handling it
oneTimeWatch.literal = parsedExpression.literal;
oneTimeWatch.constant = parsedExpression.constant;
@@ -1987,7 +1987,7 @@ function $ParseProvider() {
fn.$$intercepted = parsedExpression;
fn.$$interceptor = interceptorFn;
// Propogate the literal/oneTime/constant attributes
// Propagate the literal/oneTime/constant attributes
fn.literal = parsedExpression.literal;
fn.oneTime = parsedExpression.oneTime;
fn.constant = parsedExpression.constant;
+16 -15
View File
@@ -7,12 +7,12 @@
*/
function $$SanitizeUriProvider() {
var aHrefSanitizationWhitelist = /^\s*(https?|s?ftp|mailto|tel|file):/,
imgSrcSanitizationWhitelist = /^\s*((https?|ftp|file|blob):|data:image\/)/;
var aHrefSanitizationTrustedUrlList = /^\s*(https?|s?ftp|mailto|tel|file):/,
imgSrcSanitizationTrustedUrlList = /^\s*((https?|ftp|file|blob):|data:image\/)/;
/**
* @description
* Retrieves or overrides the default regular expression that is used for whitelisting of safe
* Retrieves or overrides the default regular expression that is used for determining trusted safe
* urls during a[href] sanitization.
*
* The sanitization is a security measure aimed at prevent XSS attacks via HTML anchor links.
@@ -21,27 +21,27 @@ function $$SanitizeUriProvider() {
* the $sce.URL security context. When interpolation occurs a call is made to `$sce.trustAsUrl(url)`
* which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize the potentially malicious URL.
*
* If the URL matches the `aHrefSanitizationWhitelist` regular expression, it is returned unchanged.
* If the URL matches the `aHrefSanitizationTrustedUrlList` regular expression, it is returned unchanged.
*
* If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written
* to the DOM it is inactive and potentially malicious code will not be executed.
*
* @param {RegExp=} regexp New regexp to whitelist urls with.
* @param {RegExp=} regexp New regexp to trust urls with.
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
* chaining otherwise.
*/
this.aHrefSanitizationWhitelist = function(regexp) {
this.aHrefSanitizationTrustedUrlList = function(regexp) {
if (isDefined(regexp)) {
aHrefSanitizationWhitelist = regexp;
aHrefSanitizationTrustedUrlList = regexp;
return this;
}
return aHrefSanitizationWhitelist;
return aHrefSanitizationTrustedUrlList;
};
/**
* @description
* Retrieves or overrides the default regular expression that is used for whitelisting of safe
* Retrieves or overrides the default regular expression that is used for determining trusted safe
* urls during img[src] sanitization.
*
* The sanitization is a security measure aimed at prevent XSS attacks via HTML image src links.
@@ -51,27 +51,28 @@ function $$SanitizeUriProvider() {
* `$sce.trustAsMediaUrl(url)` which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize
* the potentially malicious URL.
*
* If the URL matches the `aImgSanitizationWhitelist` regular expression, it is returned unchanged.
* If the URL matches the `imgSrcSanitizationTrustedUrlList` regular expression, it is returned
* unchanged.
*
* If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written
* to the DOM it is inactive and potentially malicious code will not be executed.
*
* @param {RegExp=} regexp New regexp to whitelist urls with.
* @param {RegExp=} regexp New regexp to trust urls with.
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
* chaining otherwise.
*/
this.imgSrcSanitizationWhitelist = function(regexp) {
this.imgSrcSanitizationTrustedUrlList = function(regexp) {
if (isDefined(regexp)) {
imgSrcSanitizationWhitelist = regexp;
imgSrcSanitizationTrustedUrlList = regexp;
return this;
}
return imgSrcSanitizationWhitelist;
return imgSrcSanitizationTrustedUrlList;
};
this.$get = function() {
return function sanitizeUri(uri, isMediaUrl) {
// if (!uri) return uri;
var regex = isMediaUrl ? imgSrcSanitizationWhitelist : aHrefSanitizationWhitelist;
var regex = isMediaUrl ? imgSrcSanitizationTrustedUrlList : aHrefSanitizationTrustedUrlList;
var normalizedVal = urlResolve(uri && uri.trim()).href;
if (normalizedVal !== '' && !normalizedVal.match(regex)) {
return 'unsafe:' + normalizedVal;
+118 -77
View File
@@ -118,10 +118,10 @@ function adjustMatchers(matchers) {
* The default instance of `$sceDelegate` should work out of the box with little pain. While you
* can override it completely to change the behavior of `$sce`, the common case would
* involve configuring the {@link ng.$sceDelegateProvider $sceDelegateProvider} instead by setting
* your own whitelists and blacklists for trusting URLs used for loading AngularJS resources such as
* templates. Refer {@link ng.$sceDelegateProvider#resourceUrlWhitelist
* $sceDelegateProvider.resourceUrlWhitelist} and {@link
* ng.$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist}
* your own trusted and banned resource lists for trusting URLs used for loading AngularJS resources
* such as templates. Refer {@link ng.$sceDelegateProvider#trustedResourceUrlList
* $sceDelegateProvider.trustedResourceUrlList} and {@link
* ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList}
*/
/**
@@ -134,12 +134,12 @@ function adjustMatchers(matchers) {
* The `$sceDelegateProvider` provider allows developers to configure the {@link ng.$sceDelegate
* $sceDelegate service}, used as a delegate for {@link ng.$sce Strict Contextual Escaping (SCE)}.
*
* The `$sceDelegateProvider` allows one to get/set the whitelists and blacklists used to ensure
* that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all
* places that use the `$sce.RESOURCE_URL` context). See
* {@link ng.$sceDelegateProvider#resourceUrlWhitelist $sceDelegateProvider.resourceUrlWhitelist}
* and
* {@link ng.$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist},
* The `$sceDelegateProvider` allows one to get/set the `trustedResourceUrlList` and
* `bannedResourceUrlList` used to ensure that the URLs used for sourcing AngularJS templates and
* other script-running URLs are safe (all places that use the `$sce.RESOURCE_URL` context). See
* {@link ng.$sceDelegateProvider#trustedResourceUrlList
* $sceDelegateProvider.trustedResourceUrlList} and
* {@link ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList},
*
* For the general details about this service in AngularJS, read the main page for {@link ng.$sce
* Strict Contextual Escaping (SCE)}.
@@ -155,64 +155,117 @@ function adjustMatchers(matchers) {
*
* ```
* angular.module('myApp', []).config(function($sceDelegateProvider) {
* $sceDelegateProvider.resourceUrlWhitelist([
* $sceDelegateProvider.trustedResourceUrlList([
* // Allow same origin resource loads.
* 'self',
* // Allow loading from our assets domain. Notice the difference between * and **.
* 'http://srv*.assets.example.com/**'
* ]);
*
* // The blacklist overrides the whitelist so the open redirect here is blocked.
* $sceDelegateProvider.resourceUrlBlacklist([
* // The banned resource URL list overrides the trusted resource URL list so the open redirect
* // here is blocked.
* $sceDelegateProvider.bannedResourceUrlList([
* 'http://myapp.example.com/clickThru**'
* ]);
* });
* ```
* Note that an empty whitelist will block every resource URL from being loaded, and will require
* Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require
* you to manually mark each one as trusted with `$sce.trustAsResourceUrl`. However, templates
* requested by {@link ng.$templateRequest $templateRequest} that are present in
* {@link ng.$templateCache $templateCache} will not go through this check. If you have a mechanism
* to populate your templates in that cache at config time, then it is a good idea to remove 'self'
* from that whitelist. This helps to mitigate the security impact of certain types of issues, like
* for instance attacker-controlled `ng-includes`.
* from the trusted resource URL lsit. This helps to mitigate the security impact of certain types
* of issues, like for instance attacker-controlled `ng-includes`.
*/
function $SceDelegateProvider() {
this.SCE_CONTEXTS = SCE_CONTEXTS;
// Resource URLs can also be trusted by policy.
var resourceUrlWhitelist = ['self'],
resourceUrlBlacklist = [];
var trustedResourceUrlList = ['self'],
bannedResourceUrlList = [];
/**
* @ngdoc method
* @name $sceDelegateProvider#trustedResourceUrlList
* @kind function
*
* @param {Array=} trustedResourceUrlList When provided, replaces the trustedResourceUrlList with
* the value provided. This must be an array or null. A snapshot of this array is used so
* further changes to the array are ignored.
* Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
* allowed in this array.
*
* @return {Array} The currently set trusted resource URL array.
*
* @description
* Sets/Gets the list trusted of resource URLs.
*
* The **default value** when no `trustedResourceUrlList` has been explicitly set is `['self']`
* allowing only same origin resource requests.
*
* <div class="alert alert-warning">
* **Note:** the default `trustedResourceUrlList` of 'self' is not recommended if your app shares
* its origin with other apps! It is a good idea to limit it to only your application's directory.
* </div>
*/
this.trustedResourceUrlList = function(value) {
if (arguments.length) {
trustedResourceUrlList = adjustMatchers(value);
}
return trustedResourceUrlList;
};
/**
* @ngdoc method
* @name $sceDelegateProvider#resourceUrlWhitelist
* @kind function
*
* @param {Array=} whitelist When provided, replaces the resourceUrlWhitelist with the value
* provided. This must be an array or null. A snapshot of this array is used so further
* changes to the array are ignored.
* Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
* allowed in this array.
* @deprecated
* sinceVersion="1.8.1"
*
* @return {Array} The currently set whitelist array.
* This method is deprecated. Use {@link $sceDelegateProvider#trustedResourceUrlList
* trustedResourceUrlList} instead.
*/
Object.defineProperty(this, 'resourceUrlWhitelist', {
get: function() {
return this.trustedResourceUrlList;
},
set: function(value) {
this.trustedResourceUrlList = value;
}
});
/**
* @ngdoc method
* @name $sceDelegateProvider#bannedResourceUrlList
* @kind function
*
* @param {Array=} bannedResourceUrlList When provided, replaces the `bannedResourceUrlList` with
* the value provided. This must be an array or null. A snapshot of this array is used so
* further changes to the array are ignored.</p><p>
* Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
* allowed in this array.</p><p>
* The typical usage for the `bannedResourceUrlList` is to **block
* [open redirects](http://cwe.mitre.org/data/definitions/601.html)** served by your domain as
* these would otherwise be trusted but actually return content from the redirected domain.
* </p><p>
* Finally, **the banned resource URL list overrides the trusted resource URL list** and has
* the final say.
*
* @return {Array} The currently set `bannedResourceUrlList` array.
*
* @description
* Sets/Gets the whitelist of trusted resource URLs.
* Sets/Gets the `bannedResourceUrlList` of trusted resource URLs.
*
* The **default value** when no whitelist has been explicitly set is `['self']` allowing only
* same origin resource requests.
*
* <div class="alert alert-warning">
* **Note:** the default whitelist of 'self' is not recommended if your app shares its origin
* with other apps! It is a good idea to limit it to only your application's directory.
* </div>
* The **default value** when no trusted resource URL list has been explicitly set is the empty
* array (i.e. there is no `bannedResourceUrlList`.)
*/
this.resourceUrlWhitelist = function(value) {
this.bannedResourceUrlList = function(value) {
if (arguments.length) {
resourceUrlWhitelist = adjustMatchers(value);
bannedResourceUrlList = adjustMatchers(value);
}
return resourceUrlWhitelist;
return bannedResourceUrlList;
};
/**
@@ -220,32 +273,20 @@ function $SceDelegateProvider() {
* @name $sceDelegateProvider#resourceUrlBlacklist
* @kind function
*
* @param {Array=} blacklist When provided, replaces the resourceUrlBlacklist with the value
* provided. This must be an array or null. A snapshot of this array is used so further
* changes to the array are ignored.</p><p>
* Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
* allowed in this array.</p><p>
* The typical usage for the blacklist is to **block
* [open redirects](http://cwe.mitre.org/data/definitions/601.html)** served by your domain as
* these would otherwise be trusted but actually return content from the redirected domain.
* </p><p>
* Finally, **the blacklist overrides the whitelist** and has the final say.
* @deprecated
* sinceVersion="1.8.1"
*
* @return {Array} The currently set blacklist array.
*
* @description
* Sets/Gets the blacklist of trusted resource URLs.
*
* The **default value** when no whitelist has been explicitly set is the empty array (i.e. there
* is no blacklist.)
* This method is deprecated. Use {@link $sceDelegateProvider#bannedResourceUrlList
* bannedResourceUrlList} instead.
*/
this.resourceUrlBlacklist = function(value) {
if (arguments.length) {
resourceUrlBlacklist = adjustMatchers(value);
Object.defineProperty(this, 'resourceUrlBlacklist', {
get: function() {
return this.bannedResourceUrlList;
},
set: function(value) {
this.bannedResourceUrlList = value;
}
return resourceUrlBlacklist;
};
});
this.$get = ['$injector', '$$sanitizeUri', function($injector, $$sanitizeUri) {
@@ -270,17 +311,17 @@ function $SceDelegateProvider() {
function isResourceUrlAllowedByPolicy(url) {
var parsedUrl = urlResolve(url.toString());
var i, n, allowed = false;
// Ensure that at least one item from the whitelist allows this url.
for (i = 0, n = resourceUrlWhitelist.length; i < n; i++) {
if (matchUrl(resourceUrlWhitelist[i], parsedUrl)) {
// Ensure that at least one item from the trusted resource URL list allows this url.
for (i = 0, n = trustedResourceUrlList.length; i < n; i++) {
if (matchUrl(trustedResourceUrlList[i], parsedUrl)) {
allowed = true;
break;
}
}
if (allowed) {
// Ensure that no item from the blacklist blocked this url.
for (i = 0, n = resourceUrlBlacklist.length; i < n; i++) {
if (matchUrl(resourceUrlBlacklist[i], parsedUrl)) {
// Ensure that no item from the banned resource URL list has blocked this url.
for (i = 0, n = bannedResourceUrlList.length; i < n; i++) {
if (matchUrl(bannedResourceUrlList[i], parsedUrl)) {
allowed = false;
break;
}
@@ -401,9 +442,9 @@ function $SceDelegateProvider() {
* The contexts that can be sanitized are $sce.MEDIA_URL, $sce.URL and $sce.HTML. The first two are available
* by default, and the third one relies on the `$sanitize` service (which may be loaded through
* the `ngSanitize` module). Furthermore, for $sce.RESOURCE_URL context, a plain string may be
* accepted if the resource url policy defined by {@link ng.$sceDelegateProvider#resourceUrlWhitelist
* `$sceDelegateProvider.resourceUrlWhitelist`} and {@link ng.$sceDelegateProvider#resourceUrlBlacklist
* `$sceDelegateProvider.resourceUrlBlacklist`} accepts that resource.
* accepted if the resource url policy defined by {@link ng.$sceDelegateProvider#trustedResourceUrlList
* `$sceDelegateProvider.trustedResourceUrlList`} and {@link ng.$sceDelegateProvider#bannedResourceUrlList
* `$sceDelegateProvider.bannedResourceUrlList`} accepts that resource.
*
* This function will throw if the safe type isn't appropriate for this context, or if the
* value given cannot be accepted in the context (which might be caused by sanitization not
@@ -497,9 +538,9 @@ function $SceDelegateProvider() {
*
* To systematically block XSS security bugs, AngularJS treats all values as untrusted by default in
* HTML or sensitive URL bindings. When binding untrusted values, AngularJS will automatically
* run security checks on them (sanitizations, whitelists, depending on context), or throw when it
* cannot guarantee the security of the result. That behavior depends strongly on contexts: HTML
* can be sanitized, but template URLs cannot, for instance.
* run security checks on them (sanitizations, trusted URL resource, depending on context), or throw
* when it cannot guarantee the security of the result. That behavior depends strongly on contexts:
* HTML can be sanitized, but template URLs cannot, for instance.
*
* To illustrate this, consider the `ng-bind-html` directive. It renders its value directly as HTML:
* we call that the *context*. When given an untrusted input, AngularJS will attempt to sanitize it
@@ -578,8 +619,8 @@ function $SceDelegateProvider() {
* By default, AngularJS only loads templates from the same domain and protocol as the application
* document. This is done by calling {@link ng.$sce#getTrustedResourceUrl
* $sce.getTrustedResourceUrl} on the template URL. To load templates from other domains and/or
* protocols, you may either {@link ng.$sceDelegateProvider#resourceUrlWhitelist whitelist
* them} or {@link ng.$sce#trustAsResourceUrl wrap it} into a trusted value.
* protocols, you may either add them to the {@link ng.$sceDelegateProvider#trustedResourceUrlList
* trustedResourceUrlList} or {@link ng.$sce#trustAsResourceUrl wrap them} into trusted values.
*
* *Please note*:
* The browser's
@@ -607,8 +648,8 @@ function $SceDelegateProvider() {
* templates in `ng-include` from your application's domain without having to even know about SCE.
* It blocks loading templates from other domains or loading templates over http from an https
* served document. You can change these by setting your own custom {@link
* ng.$sceDelegateProvider#resourceUrlWhitelist whitelists} and {@link
* ng.$sceDelegateProvider#resourceUrlBlacklist blacklists} for matching such URLs.
* ng.$sceDelegateProvider#trustedResourceUrlList trusted resource URL list} and {@link
* ng.$sceDelegateProvider#bannedResourceUrlList banned resource URL list} for matching such URLs.
*
* This significantly reduces the overhead. It is far easier to pay the small overhead and have an
* application that's secure and can be audited to verify that with much more ease than bolting
@@ -623,7 +664,7 @@ function $SceDelegateProvider() {
* | `$sce.CSS` | For CSS that's safe to source into the application. Currently unused. Feel free to use it in your own directives. |
* | `$sce.MEDIA_URL` | For URLs that are safe to render as media. Is automatically converted from string by sanitizing when needed. |
* | `$sce.URL` | For URLs that are safe to follow as links. Is automatically converted from string by sanitizing when needed. Note that `$sce.URL` makes a stronger statement about the URL than `$sce.MEDIA_URL` does and therefore contexts requiring values trusted for `$sce.URL` can be used anywhere that values trusted for `$sce.MEDIA_URL` are required.|
* | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application. Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG` (e.g. `IFRAME`, `OBJECT`, etc.) <br><br>Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` or `$sce.MEDIA_URL` do and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` or `$sce.MEDIA_URL` are required. <br><br> The {@link $sceDelegateProvider#resourceUrlWhitelist $sceDelegateProvider#resourceUrlWhitelist()} and {@link $sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider#resourceUrlBlacklist()} can be used to restrict trusted origins for `RESOURCE_URL` |
* | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application. Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG` (e.g. `IFRAME`, `OBJECT`, etc.) <br><br>Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` or `$sce.MEDIA_URL` do and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` or `$sce.MEDIA_URL` are required. <br><br> The {@link $sceDelegateProvider#trustedResourceUrlList $sceDelegateProvider#trustedResourceUrlList()} and {@link $sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider#bannedResourceUrlList()} can be used to restrict trusted origins for `RESOURCE_URL` |
* | `$sce.JS` | For JavaScript that is safe to execute in your application's context. Currently unused. Feel free to use it in your own directives. |
*
*
@@ -641,7 +682,7 @@ function $SceDelegateProvider() {
* There are no CSS or JS context bindings in AngularJS currently, so their corresponding `$sce.trustAs`
* functions aren't useful yet. This might evolve.
*
* ### Format of items in {@link ng.$sceDelegateProvider#resourceUrlWhitelist resourceUrlWhitelist}/{@link ng.$sceDelegateProvider#resourceUrlBlacklist Blacklist} <a name="resourceUrlPatternItem"></a>
* ### Format of items in {@link ng.$sceDelegateProvider#trustedResourceUrlList trustedResourceUrlList}/{@link ng.$sceDelegateProvider#bannedResourceUrlList bannedResourceUrlList} <a name="resourceUrlPatternItem"></a>
*
* Each element in these arrays must be one of the following:
*
@@ -655,7 +696,7 @@ function $SceDelegateProvider() {
* match themselves.
* - `*`: matches zero or more occurrences of any character other than one of the following 6
* characters: '`:`', '`/`', '`.`', '`?`', '`&`' and '`;`'. It's a useful wildcard for use
* in a whitelist.
* for matching resource URL lists.
* - `**`: matches zero or more occurrences of *any* character. As such, it's not
* appropriate for use in a scheme, domain, etc. as it would match too much. (e.g.
* http://**.example.com/ would match http://evil.com/?ignore=.example.com/ and that might
+4 -4
View File
@@ -73,10 +73,10 @@ function $TemplateRequestProvider() {
handleRequestFn.totalPendingRequests++;
// We consider the template cache holds only trusted templates, so
// there's no need to go through whitelisting again for keys that already
// are included in there. This also makes AngularJS accept any script
// directive, no matter its name. However, we still need to unwrap trusted
// types.
// there's no need to go through adding the template again to the trusted
// resources for keys that already are included in there. This also makes
// AngularJS accept any script directive, no matter its name. However, we
// still need to unwrap trusted types.
if (!isString(tpl) || isUndefined($templateCache.get(tpl))) {
tpl = $sce.getTrustedResourceUrl(tpl);
}
+5 -5
View File
@@ -125,20 +125,20 @@ function urlIsSameOriginAsBaseUrl(requestUrl) {
}
/**
* Create a function that can check a URL's origin against a list of allowed/whitelisted origins.
* Create a function that can check a URL's origin against a list of allowed/trusted origins.
* The current location's origin is implicitly trusted.
*
* @param {string[]} whitelistedOriginUrls - A list of URLs (strings), whose origins are trusted.
* @param {string[]} trustedOriginUrls - A list of URLs (strings), whose origins are trusted.
*
* @returns {Function} - A function that receives a URL (string or parsed URL object) and returns
* whether it is of an allowed origin.
*/
function urlIsAllowedOriginFactory(whitelistedOriginUrls) {
var parsedAllowedOriginUrls = [originUrl].concat(whitelistedOriginUrls.map(urlResolve));
function urlIsAllowedOriginFactory(trustedOriginUrls) {
var parsedAllowedOriginUrls = [originUrl].concat(trustedOriginUrls.map(urlResolve));
/**
* Check whether the specified URL (string or parsed URL object) has an origin that is allowed
* based on a list of whitelisted-origin URLs. The current location's origin is implicitly
* based on a list of trusted-origin URLs. The current location's origin is implicitly
* trusted.
*
* @param {string|Object} requestUrl - The URL to be checked (provided as a string that will be
+16 -16
View File
@@ -64,7 +64,7 @@ var ngAriaModule = angular.module('ngAria', ['ng']).
/**
* Internal Utilities
*/
var nodeBlackList = ['BUTTON', 'A', 'INPUT', 'TEXTAREA', 'SELECT', 'DETAILS', 'SUMMARY'];
var nativeAriaNodeNames = ['BUTTON', 'A', 'INPUT', 'TEXTAREA', 'SELECT', 'DETAILS', 'SUMMARY'];
var isNodeOneOf = function(elem, nodeTypeArray) {
if (nodeTypeArray.indexOf(elem[0].nodeName) !== -1) {
@@ -136,12 +136,12 @@ function $AriaProvider() {
config = angular.extend(config, newConfig);
};
function watchExpr(attrName, ariaAttr, nodeBlackList, negate) {
function watchExpr(attrName, ariaAttr, nativeAriaNodeNames, negate) {
return function(scope, elem, attr) {
if (attr.hasOwnProperty(ARIA_DISABLE_ATTR)) return;
var ariaCamelName = attr.$normalize(ariaAttr);
if (config[ariaCamelName] && !isNodeOneOf(elem, nodeBlackList) && !attr[ariaCamelName]) {
if (config[ariaCamelName] && !isNodeOneOf(elem, nativeAriaNodeNames) && !attr[ariaCamelName]) {
scope.$watch(attr[attrName], function(boolVal) {
// ensure boolean value
boolVal = negate ? !boolVal : !!boolVal;
@@ -165,7 +165,7 @@ function $AriaProvider() {
*
*```js
* ngAriaModule.directive('ngDisabled', ['$aria', function($aria) {
* return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nodeBlackList, false);
* return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nativeAriaNodeNames, false);
* }])
*```
* Shown above, the ngAria module creates a directive with the same signature as the
@@ -217,31 +217,31 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
return $aria.$$watchExpr('ngHide', 'aria-hidden', [], false);
}])
.directive('ngValue', ['$aria', function($aria) {
return $aria.$$watchExpr('ngValue', 'aria-checked', nodeBlackList, false);
return $aria.$$watchExpr('ngValue', 'aria-checked', nativeAriaNodeNames, false);
}])
.directive('ngChecked', ['$aria', function($aria) {
return $aria.$$watchExpr('ngChecked', 'aria-checked', nodeBlackList, false);
return $aria.$$watchExpr('ngChecked', 'aria-checked', nativeAriaNodeNames, false);
}])
.directive('ngReadonly', ['$aria', function($aria) {
return $aria.$$watchExpr('ngReadonly', 'aria-readonly', nodeBlackList, false);
return $aria.$$watchExpr('ngReadonly', 'aria-readonly', nativeAriaNodeNames, false);
}])
.directive('ngRequired', ['$aria', function($aria) {
return $aria.$$watchExpr('ngRequired', 'aria-required', nodeBlackList, false);
return $aria.$$watchExpr('ngRequired', 'aria-required', nativeAriaNodeNames, false);
}])
.directive('ngModel', ['$aria', function($aria) {
function shouldAttachAttr(attr, normalizedAttr, elem, allowBlacklistEls) {
function shouldAttachAttr(attr, normalizedAttr, elem, allowNonAriaNodes) {
return $aria.config(normalizedAttr) &&
!elem.attr(attr) &&
(allowBlacklistEls || !isNodeOneOf(elem, nodeBlackList)) &&
(allowNonAriaNodes || !isNodeOneOf(elem, nativeAriaNodeNames)) &&
(elem.attr('type') !== 'hidden' || elem[0].nodeName !== 'INPUT');
}
function shouldAttachRole(role, elem) {
// if element does not have role attribute
// AND element type is equal to role (if custom element has a type equaling shape) <-- remove?
// AND element is not in nodeBlackList
return !elem.attr('role') && (elem.attr('type') === role) && !isNodeOneOf(elem, nodeBlackList);
// AND element is not in nativeAriaNodeNames
return !elem.attr('role') && (elem.attr('type') === role) && !isNodeOneOf(elem, nativeAriaNodeNames);
}
function getShape(attr, elem) {
@@ -349,7 +349,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
};
}])
.directive('ngDisabled', ['$aria', function($aria) {
return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nodeBlackList, false);
return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nativeAriaNodeNames, false);
}])
.directive('ngMessages', function() {
return {
@@ -373,7 +373,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
var fn = $parse(attr.ngClick);
return function(scope, elem, attr) {
if (!isNodeOneOf(elem, nodeBlackList)) {
if (!isNodeOneOf(elem, nativeAriaNodeNames)) {
if ($aria.config('bindRoleForClick') && !elem.attr('role')) {
elem.attr('role', 'button');
@@ -389,7 +389,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
if (keyCode === 13 || keyCode === 32) {
// If the event is triggered on a non-interactive element ...
if (nodeBlackList.indexOf(event.target.nodeName) === -1 && !event.target.isContentEditable) {
if (nativeAriaNodeNames.indexOf(event.target.nodeName) === -1 && !event.target.isContentEditable) {
// ... prevent the default browser behavior (e.g. scrolling when pressing spacebar)
// See https://github.com/angular/angular.js/issues/16664
event.preventDefault();
@@ -411,7 +411,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
return function(scope, elem, attr) {
if (attr.hasOwnProperty(ARIA_DISABLE_ATTR)) return;
if ($aria.config('tabindex') && !elem.attr('tabindex') && !isNodeOneOf(elem, nodeBlackList)) {
if ($aria.config('tabindex') && !elem.attr('tabindex') && !isNodeOneOf(elem, nativeAriaNodeNames)) {
elem.attr('tabindex', 0);
}
};
+18 -40
View File
@@ -41,12 +41,12 @@ var htmlSanitizeWriter;
* @description
* Sanitizes an html string by stripping all potentially dangerous tokens.
*
* The input is sanitized by parsing the HTML into tokens. All safe tokens (from a whitelist) are
* The input is sanitized by parsing the HTML into tokens. All safe tokens (from a trusted URI list) are
* then serialized back to a properly escaped HTML string. This means that no unsafe input can make
* it into the returned string.
*
* The whitelist for URL sanitization of attribute values is configured using the functions
* `aHrefSanitizationWhitelist` and `imgSrcSanitizationWhitelist` of {@link $compileProvider}.
* The trusted URIs for URL sanitization of attribute values is configured using the functions
* `aHrefSanitizationTrustedUrlList` and `imgSrcSanitizationTrustedUrlList` of {@link $compileProvider}.
*
* The input may also contain SVG markup if this is enabled via {@link $sanitizeProvider}.
*
@@ -277,8 +277,8 @@ function $SanitizeProvider() {
* **Note**:
* The new attributes will not be treated as URI attributes, which means their values will not be
* sanitized as URIs using `$compileProvider`'s
* {@link ng.$compileProvider#aHrefSanitizationWhitelist aHrefSanitizationWhitelist} and
* {@link ng.$compileProvider#imgSrcSanitizationWhitelist imgSrcSanitizationWhitelist}.
* {@link ng.$compileProvider#aHrefSanitizationTrustedUrlList aHrefSanitizationTrustedUrlList} and
* {@link ng.$compileProvider#imgSrcSanitizationTrustedUrlList imgSrcSanitizationTrustedUrlList}.
*
* <div class="alert alert-info">
* This method must be called during the {@link angular.Module#config config} phase. Once the
@@ -421,50 +421,28 @@ function $SanitizeProvider() {
}
/**
* Create an inert document that contains the dirty HTML that needs sanitizing
* Depending upon browser support we use one of three strategies for doing this.
* Support: Safari 10.x -> XHR strategy
* Support: Firefox -> DomParser strategy
* Create an inert document that contains the dirty HTML that needs sanitizing.
* We use the DOMParser API by default and fall back to createHTMLDocument if DOMParser is not
* available.
*/
var getInertBodyElement /* function(html: string): HTMLBodyElement */ = (function(window, document) {
var inertDocument;
if (document && document.implementation) {
inertDocument = document.implementation.createHTMLDocument('inert');
} else {
if (isDOMParserAvailable()) {
return getInertBodyElement_DOMParser;
}
if (!document || !document.implementation) {
throw $sanitizeMinErr('noinert', 'Can\'t create an inert html document');
}
var inertDocument = document.implementation.createHTMLDocument('inert');
var inertBodyElement = (inertDocument.documentElement || inertDocument.getDocumentElement()).querySelector('body');
return getInertBodyElement_InertDocument;
// Check for the Safari 10.1 bug - which allows JS to run inside the SVG G element
inertBodyElement.innerHTML = '<svg><g onload="this.parentNode.remove()"></g></svg>';
if (!inertBodyElement.querySelector('svg')) {
return getInertBodyElement_XHR;
} else {
// Check for the Firefox bug - which prevents the inner img JS from being sanitized
inertBodyElement.innerHTML = '<svg><p><style><img src="</style><img src=x onerror=alert(1)//">';
if (inertBodyElement.querySelector('svg img')) {
return getInertBodyElement_DOMParser;
} else {
return getInertBodyElement_InertDocument;
}
}
function getInertBodyElement_XHR(html) {
// We add this dummy element to ensure that the rest of the content is parsed as expected
// e.g. leading whitespace is maintained and tags like `<meta>` do not get hoisted to the `<head>` tag.
html = '<remove></remove>' + html;
function isDOMParserAvailable() {
try {
html = encodeURI(html);
return !!getInertBodyElement_DOMParser('');
} catch (e) {
return undefined;
return false;
}
var xhr = new window.XMLHttpRequest();
xhr.responseType = 'document';
xhr.open('GET', 'data:text/html;charset=utf-8,' + html, false);
xhr.send(null);
var body = xhr.response.body;
body.firstChild.remove();
return body;
}
function getInertBodyElement_DOMParser(html) {
+25 -25
View File
@@ -151,30 +151,30 @@ describe('$compile', function() {
describe('configuration', function() {
it('should use $$sanitizeUriProvider for reconfiguration of the `aHrefSanitizationWhitelist`', function() {
it('should use $$sanitizeUriProvider for reconfiguration of the `aHrefSanitizationTrustedUrlList`', function() {
module(function($compileProvider, $$sanitizeUriProvider) {
var newRe = /safe:/, returnVal;
expect($compileProvider.aHrefSanitizationWhitelist()).toBe($$sanitizeUriProvider.aHrefSanitizationWhitelist());
returnVal = $compileProvider.aHrefSanitizationWhitelist(newRe);
expect($compileProvider.aHrefSanitizationTrustedUrlList()).toBe($$sanitizeUriProvider.aHrefSanitizationTrustedUrlList());
returnVal = $compileProvider.aHrefSanitizationTrustedUrlList(newRe);
expect(returnVal).toBe($compileProvider);
expect($$sanitizeUriProvider.aHrefSanitizationWhitelist()).toBe(newRe);
expect($compileProvider.aHrefSanitizationWhitelist()).toBe(newRe);
expect($$sanitizeUriProvider.aHrefSanitizationTrustedUrlList()).toBe(newRe);
expect($compileProvider.aHrefSanitizationTrustedUrlList()).toBe(newRe);
});
inject(function() {
// needed to the module definition above is run...
});
});
it('should use $$sanitizeUriProvider for reconfiguration of the `imgSrcSanitizationWhitelist`', function() {
it('should use $$sanitizeUriProvider for reconfiguration of the `imgSrcSanitizationTrustedUrlList`', function() {
module(function($compileProvider, $$sanitizeUriProvider) {
var newRe = /safe:/, returnVal;
expect($compileProvider.imgSrcSanitizationWhitelist()).toBe($$sanitizeUriProvider.imgSrcSanitizationWhitelist());
returnVal = $compileProvider.imgSrcSanitizationWhitelist(newRe);
expect($compileProvider.imgSrcSanitizationTrustedUrlList()).toBe($$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList());
returnVal = $compileProvider.imgSrcSanitizationTrustedUrlList(newRe);
expect(returnVal).toBe($compileProvider);
expect($$sanitizeUriProvider.imgSrcSanitizationWhitelist()).toBe(newRe);
expect($compileProvider.imgSrcSanitizationWhitelist()).toBe(newRe);
expect($$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList()).toBe(newRe);
expect($compileProvider.imgSrcSanitizationTrustedUrlList()).toBe(newRe);
});
inject(function() {
// needed to the module definition above is run...
@@ -11334,9 +11334,9 @@ describe('$compile', function() {
// IE9 rejects the `video` / `audio` tags with "Error: Not implemented"
if (msie !== 9 || tag === 'img') {
describe(tag + '[src] context requirement', function() {
it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) {
it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) {
element = $compile('<' + tag + ' src="{{testUrl}}"></' + tag + '>')($rootScope);
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted
$rootScope.$digest();
expect(element.attr('src')).toEqual('http://example.com/image.mp4');
}));
@@ -11372,9 +11372,9 @@ describe('$compile', function() {
if (msie !== 9) {
['source', 'track'].forEach(function(tag) {
describe(tag + '[src]', function() {
it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) {
it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) {
element = $compile('<video><' + tag + ' src="{{testUrl}}"></' + tag + '></video>')($rootScope);
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted
$rootScope.$digest();
expect(element.find(tag).attr('src')).toEqual('http://example.com/image.mp4');
}));
@@ -11509,14 +11509,14 @@ describe('$compile', function() {
});
});
it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile, $sce) {
it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile, $sce) {
element = $compile('<img srcset="{{testUrl}}"></img>')($rootScope);
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted
$rootScope.$digest();
expect(element.attr('srcset')).toEqual('http://example.com/image.png');
}));
it('should accept trusted values, if they are also whitelisted', inject(function($rootScope, $compile, $sce) {
it('should accept trusted values, if they are also trusted URIs', inject(function($rootScope, $compile, $sce) {
element = $compile('<img srcset="{{testUrl}}"></img>')($rootScope);
$rootScope.testUrl = $sce.trustAsUrl('http://example.com');
$rootScope.$digest();
@@ -11602,8 +11602,8 @@ describe('$compile', function() {
});
describe('a[href] sanitization', function() {
it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile) {
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted
it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile) {
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted
element = $compile('<a href="{{testUrl}}"></a>')($rootScope);
$rootScope.$digest();
expect(element.attr('href')).toEqual('http://example.com/image.png');
@@ -11613,8 +11613,8 @@ describe('$compile', function() {
expect(element.attr('ng-href')).toEqual('http://example.com/image.png');
}));
it('should accept trusted values for non-whitelisted values', inject(function($rootScope, $compile, $sce) {
$rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not whitelisted
it('should accept trusted values for non-trusted URI values', inject(function($rootScope, $compile, $sce) {
$rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not trusted
element = $compile('<a href="{{testUrl}}"></a>')($rootScope);
$rootScope.$digest();
expect(element.attr('href')).toEqual('javascript:foo()');
@@ -11624,8 +11624,8 @@ describe('$compile', function() {
expect(element.attr('ng-href')).toEqual('javascript:foo()');
}));
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile) {
$rootScope.testUrl = 'javascript:foo()'; // `javascript` is not whitelisted
it('should sanitize non-trusted values', inject(function($rootScope, $compile) {
$rootScope.testUrl = 'javascript:foo()'; // `javascript` is not trusted
element = $compile('<a href="{{testUrl}}"></a>')($rootScope);
$rootScope.$digest();
expect(element.attr('href')).toEqual('unsafe:javascript:foo()');
@@ -11678,7 +11678,7 @@ describe('$compile', function() {
$provide.value('$$sanitizeUri', $$sanitizeUri);
});
inject(function($compile, $rootScope) {
// This URL would fail the RESOURCE_URL whitelist, but that test shouldn't be run
// This URL would fail the RESOURCE_URL trusted list, but that test shouldn't be run
// because these interpolations will be resolved against the URL context instead
$rootScope.testUrl = 'https://bad.example.org';
@@ -11700,7 +11700,7 @@ describe('$compile', function() {
$provide.value('$$sanitizeUri', $$sanitizeUri);
});
inject(function($compile, $rootScope) {
// This URL would fail the RESOURCE_URL whitelist, but that test shouldn't be run
// This URL would fail the RESOURCE_URL trusted list, but that test shouldn't be run
// because these interpolations will be resolved against the URL context instead
$rootScope.testUrl = 'https://bad.example.org';
+10 -10
View File
@@ -288,8 +288,8 @@ describe('$http', function() {
var $httpBackend, $http, $rootScope, $sce;
beforeEach(module(function($sceDelegateProvider) {
// Setup a special whitelisted url that we can use in testing JSONP requests
$sceDelegateProvider.resourceUrlWhitelist(['http://special.whitelisted.resource.com/**']);
// Setup a special trusted url that we can use in testing JSONP requests
$sceDelegateProvider.trustedResourceUrlList(['http://special.trusted.resource.com/**']);
}));
beforeEach(inject(['$httpBackend', '$http', '$rootScope', '$sce', function($hb, $h, $rs, $sc) {
@@ -2213,9 +2213,9 @@ describe('$http', function() {
var $httpBackend;
beforeEach(module(function($httpProvider) {
$httpProvider.xsrfWhitelistedOrigins.push(
'https://whitelisted.example.com',
'https://whitelisted2.example.com:1337/ignored/path');
$httpProvider.xsrfTrustedOrigins.push(
'https://trusted.example.com',
'https://trusted2.example.com:1337/ignored/path');
}));
beforeEach(inject(function(_$http_, _$httpBackend_) {
@@ -2312,8 +2312,8 @@ describe('$http', function() {
}
var requestUrls = [
'https://api.example.com/path',
'http://whitelisted.example.com',
'https://whitelisted2.example.com:1338'
'http://trusted.example.com',
'https://trusted2.example.com:1338'
];
mockedCookies['XSRF-TOKEN'] = 'secret';
@@ -2326,15 +2326,15 @@ describe('$http', function() {
});
it('should set an XSRF header for cross-domain requests to whitelisted origins',
it('should set an XSRF header for cross-domain requests to trusted origins',
inject(function($browser) {
function checkHeaders(headers) {
return headers['X-XSRF-TOKEN'] === 'secret';
}
var currentUrl = 'https://example.com/path';
var requestUrls = [
'https://whitelisted.example.com/path',
'https://whitelisted2.example.com:1337/path'
'https://trusted.example.com/path',
'https://trusted2.example.com:1337/path'
];
$browser.url(currentUrl);
+15 -15
View File
@@ -250,9 +250,9 @@ describe('ngProp*', function() {
// IE9 rejects the `video` / `audio` tags with "Error: Not implemented"
if (msie !== 9 || tag === 'img') {
describe(tag + '[src] context requirement', function() {
it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) {
it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) {
var element = $compile('<' + tag + ' ng-prop-src="testUrl"></' + tag + '>')($rootScope);
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted
$rootScope.$digest();
expect(element.prop('src')).toEqual('http://example.com/image.mp4');
}));
@@ -279,7 +279,7 @@ describe('ngProp*', function() {
expect(element.prop('src')).toEqual('untrusted:foo()');
}));
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) {
it('should sanitize non-trusted values', inject(function($rootScope, $compile, $sce) {
// As a MEDIA_URL URL
var element = $compile('<' + tag + ' ng-prop-src="testUrl"></' + tag + '>')($rootScope);
// Some browsers complain if you try to write `javascript:` into an `img[src]`
@@ -308,9 +308,9 @@ describe('ngProp*', function() {
if (msie !== 9) {
['source', 'track'].forEach(function(tag) {
describe(tag + '[src]', function() {
it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) {
it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) {
var element = $compile('<video><' + tag + ' ng-prop-src="testUrl"></' + tag + '></video>')($rootScope);
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted
$rootScope.$digest();
expect(element.find(tag).prop('src')).toEqual('http://example.com/image.mp4');
}));
@@ -335,7 +335,7 @@ describe('ngProp*', function() {
expect(element.find(tag).prop('src')).toEqual('javascript:foo()');
}));
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) {
it('should sanitize non-trusted values', inject(function($rootScope, $compile, $sce) {
var element = $compile('<video><' + tag + ' ng-prop-src="testUrl"></' + tag + '></video>')($rootScope);
$rootScope.testUrl = 'untrusted:foo()';
$rootScope.$digest();
@@ -412,14 +412,14 @@ describe('ngProp*', function() {
expect(element.prop('srcset')).toBe('');
}));
it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile, $sce) {
it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile, $sce) {
var element = $compile('<' + srcsetElement + ' ng-prop-srcset="testUrl"></' + srcsetElement + '>')($rootScope);
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted
$rootScope.$digest();
expect(element.prop('srcset')).toEqual('http://example.com/image.png');
}));
it('should accept trusted values, if they are also whitelisted', inject(function($rootScope, $compile, $sce) {
it('should accept trusted values, if they are also trusted URIs', inject(function($rootScope, $compile, $sce) {
var element = $compile('<' + srcsetElement + ' ng-prop-srcset="testUrl"></' + srcsetElement + '>')($rootScope);
$rootScope.testUrl = $sce.trustAsUrl('http://example.com');
$rootScope.$digest();
@@ -506,8 +506,8 @@ describe('ngProp*', function() {
});
describe('a[href] sanitization', function() {
it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile) {
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted
it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile) {
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted
var element = $compile('<a ng-prop-href="testUrl"></a>')($rootScope);
$rootScope.$digest();
expect(element.prop('href')).toEqual('http://example.com/image.png');
@@ -517,8 +517,8 @@ describe('ngProp*', function() {
expect(element.prop('href')).toEqual('http://example.com/image.png');
}));
it('should accept trusted values for non-whitelisted values', inject(function($rootScope, $compile, $sce) {
$rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not whitelisted
it('should accept trusted values for non-trusted URI values', inject(function($rootScope, $compile, $sce) {
$rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not trusted
var element = $compile('<a ng-prop-href="testUrl"></a>')($rootScope);
$rootScope.$digest();
expect(element.prop('href')).toEqual('javascript:foo()');
@@ -528,8 +528,8 @@ describe('ngProp*', function() {
expect(element.prop('href')).toEqual('javascript:foo()');
}));
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile) {
$rootScope.testUrl = 'javascript:foo()'; // `javascript` is not whitelisted
it('should sanitize non-trusted values', inject(function($rootScope, $compile) {
$rootScope.testUrl = 'javascript:foo()'; // `javascript` is not trusted
var element = $compile('<a ng-prop-href="testUrl"></a>')($rootScope);
$rootScope.$digest();
expect(element.prop('href')).toEqual('unsafe:javascript:foo()');
+6 -6
View File
@@ -125,10 +125,10 @@ describe('sanitizeUri', function() {
expect(sanitizeImg(testUrl)).toBe('data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==');
});
it('should allow reconfiguration of the src whitelist', function() {
it('should allow reconfiguration of the src trusted URIs', function() {
var returnVal;
expect(sanitizeUriProvider.imgSrcSanitizationWhitelist() instanceof RegExp).toBe(true);
returnVal = sanitizeUriProvider.imgSrcSanitizationWhitelist(/javascript:/);
expect(sanitizeUriProvider.imgSrcSanitizationTrustedUrlList() instanceof RegExp).toBe(true);
returnVal = sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(/javascript:/);
expect(returnVal).toBe(sanitizeUriProvider);
testUrl = 'javascript:doEvilStuff()';
@@ -226,10 +226,10 @@ describe('sanitizeUri', function() {
expect(sanitizeHref(testUrl)).toBe('file:///foo/bar.html');
}));
it('should allow reconfiguration of the href whitelist', function() {
it('should allow reconfiguration of the href trusted URIs', function() {
var returnVal;
expect(sanitizeUriProvider.aHrefSanitizationWhitelist() instanceof RegExp).toBe(true);
returnVal = sanitizeUriProvider.aHrefSanitizationWhitelist(/javascript:/);
expect(sanitizeUriProvider.aHrefSanitizationTrustedUrlList() instanceof RegExp).toBe(true);
returnVal = sanitizeUriProvider.aHrefSanitizationTrustedUrlList(/javascript:/);
expect(returnVal).toBe(sanitizeUriProvider);
testUrl = 'javascript:doEvilStuff()';
+35 -36
View File
@@ -309,11 +309,11 @@ describe('SCE', function() {
function runTest(cfg, testFn) {
return function() {
module(function($sceDelegateProvider) {
if (isDefined(cfg.whiteList)) {
$sceDelegateProvider.resourceUrlWhitelist(cfg.whiteList);
if (isDefined(cfg.trustedUrls)) {
$sceDelegateProvider.trustedResourceUrlList(cfg.trustedUrls);
}
if (isDefined(cfg.blackList)) {
$sceDelegateProvider.resourceUrlBlacklist(cfg.blackList);
if (isDefined(cfg.bannedUrls)) {
$sceDelegateProvider.bannedResourceUrlList(cfg.bannedUrls);
}
});
inject(testFn);
@@ -324,10 +324,10 @@ describe('SCE', function() {
expect($sce.getTrustedResourceUrl('foo/bar')).toEqual('foo/bar');
}));
it('should reject everything when whitelist is empty', runTest(
it('should reject everything when trusted resource URL list is empty', runTest(
{
whiteList: [],
blackList: []
trustedUrls: [],
bannedUrls: []
}, function($sce) {
expect(function() { $sce.getTrustedResourceUrl('#'); }).toThrowMinErr(
'$sce', 'insecurl', 'Blocked loading resource from url not allowed by $sceDelegate policy. URL: #');
@@ -336,8 +336,8 @@ describe('SCE', function() {
it('should match against normalized urls', runTest(
{
whiteList: [/^foo$/],
blackList: []
trustedUrls: [/^foo$/],
bannedUrls: []
}, function($sce) {
expect(function() { $sce.getTrustedResourceUrl('foo'); }).toThrowMinErr(
'$sce', 'insecurl', 'Blocked loading resource from url not allowed by $sceDelegate policy. URL: foo');
@@ -346,7 +346,7 @@ describe('SCE', function() {
it('should not accept unknown matcher type', function() {
expect(function() {
runTest({whiteList: [{}]}, null)();
runTest({trustedUrls: [{}]}, null)();
}).toThrowMinErr('$injector', 'modulerr', new RegExp(
/Failed to instantiate module function ?\(\$sceDelegateProvider\) due to:\n/.source +
/[^[]*\[\$sce:imatcher] Matchers may only be "self", string patterns or RegExp objects/.source));
@@ -370,8 +370,8 @@ describe('SCE', function() {
describe('regex matcher', function() {
it('should support custom regex', runTest(
{
whiteList: [/^http:\/\/example\.com\/.*/],
blackList: []
trustedUrls: [/^http:\/\/example\.com\/.*/],
bannedUrls: []
}, function($sce) {
expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo');
// must match entire regex
@@ -385,8 +385,8 @@ describe('SCE', function() {
it('should match entire regex', runTest(
{
whiteList: [/https?:\/\/example\.com\/foo/],
blackList: []
trustedUrls: [/https?:\/\/example\.com\/foo/],
bannedUrls: []
}, function($sce) {
expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo');
expect($sce.getTrustedResourceUrl('https://example.com/foo')).toEqual('https://example.com/foo');
@@ -405,8 +405,8 @@ describe('SCE', function() {
describe('string matchers', function() {
it('should support strings as matchers', runTest(
{
whiteList: ['http://example.com/foo'],
blackList: []
trustedUrls: ['http://example.com/foo'],
bannedUrls: []
}, function($sce) {
expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo');
// "." is not a special character like in a regex.
@@ -423,8 +423,8 @@ describe('SCE', function() {
it('should support the * wildcard', runTest(
{
whiteList: ['http://example.com/foo*'],
blackList: []
trustedUrls: ['http://example.com/foo*'],
bannedUrls: []
}, function($sce) {
expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo');
// The * wildcard should match extra characters.
@@ -452,8 +452,8 @@ describe('SCE', function() {
it('should support the ** wildcard', runTest(
{
whiteList: ['http://example.com/foo**'],
blackList: []
trustedUrls: ['http://example.com/foo**'],
bannedUrls: []
}, function($sce) {
expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo');
// The ** wildcard should match extra characters.
@@ -465,7 +465,7 @@ describe('SCE', function() {
it('should not accept *** in the string', function() {
expect(function() {
runTest({whiteList: ['http://***']}, null)();
runTest({trustedUrls: ['http://***']}, null)();
}).toThrowMinErr('$injector', 'modulerr', new RegExp(
/Failed to instantiate module function ?\(\$sceDelegateProvider\) due to:\n/.source +
/[^[]*\[\$sce:iwcard] Illegal sequence \*\*\* in string matcher\. {2}String: http:\/\/\*\*\*/.source));
@@ -473,19 +473,19 @@ describe('SCE', function() {
});
describe('"self" matcher', function() {
it('should support the special string "self" in whitelist', runTest(
it('should support the special string "self" in trusted resource URL list', runTest(
{
whiteList: ['self'],
blackList: []
trustedUrls: ['self'],
bannedUrls: []
}, function($sce) {
expect($sce.getTrustedResourceUrl('foo')).toEqual('foo');
}
));
it('should support the special string "self" in blacklist', runTest(
it('should support the special string "self" in baneed resource URL list', runTest(
{
whiteList: [/.*/],
blackList: ['self']
trustedUrls: [/.*/],
bannedUrls: ['self']
}, function($sce) {
expect(function() { $sce.getTrustedResourceUrl('foo'); }).toThrowMinErr(
'$sce', 'insecurl', 'Blocked loading resource from url not allowed by $sceDelegate policy. URL: foo');
@@ -494,7 +494,7 @@ describe('SCE', function() {
describe('when the document base URL has changed', function() {
var baseElem;
var cfg = {whitelist: ['self'], blacklist: []};
var cfg = {trustedUrls: ['self'], bannedUrls: []};
beforeEach(function() {
baseElem = window.document.createElement('BASE');
@@ -526,10 +526,10 @@ describe('SCE', function() {
});
});
it('should have blacklist override the whitelist', runTest(
it('should have the banned resource URL list override the trusted resource URL list', runTest(
{
whiteList: ['self'],
blackList: ['self']
trustedUrls: ['self'],
bannedUrls: ['self']
}, function($sce) {
expect(function() { $sce.getTrustedResourceUrl('foo'); }).toThrowMinErr(
'$sce', 'insecurl', 'Blocked loading resource from url not allowed by $sceDelegate policy. URL: foo');
@@ -538,8 +538,8 @@ describe('SCE', function() {
it('should support multiple items in both lists', runTest(
{
whiteList: [/^http:\/\/example.com\/1$/, /^http:\/\/example.com\/2$/, /^http:\/\/example.com\/3$/, 'self'],
blackList: [/^http:\/\/example.com\/3$/, /.*\/open_redirect/]
trustedUrls: [/^http:\/\/example.com\/1$/, /^http:\/\/example.com\/2$/, /^http:\/\/example.com\/3$/, 'self'],
bannedUrls: [/^http:\/\/example.com\/3$/, /.*\/open_redirect/]
}, function($sce) {
expect($sce.getTrustedResourceUrl('same_domain')).toEqual('same_domain');
expect($sce.getTrustedResourceUrl('http://example.com/1')).toEqual('http://example.com/1');
@@ -553,12 +553,12 @@ describe('SCE', function() {
});
describe('URL-context sanitization', function() {
it('should sanitize values that are not whitelisted', inject(function($sce) {
it('should sanitize values that are not found in the trusted resource URL list', inject(function($sce) {
expect($sce.getTrustedMediaUrl('javascript:foo')).toEqual('unsafe:javascript:foo');
expect($sce.getTrustedUrl('javascript:foo')).toEqual('unsafe:javascript:foo');
}));
it('should not sanitize values that are whitelisted', inject(function($sce) {
it('should not sanitize values that are found in the trusted resource URL list', inject(function($sce) {
expect($sce.getTrustedMediaUrl('http://example.com')).toEqual('http://example.com');
expect($sce.getTrustedUrl('http://example.com')).toEqual('http://example.com');
}));
@@ -620,4 +620,3 @@ describe('SCE', function() {
});
});
});
+1 -1
View File
@@ -97,7 +97,7 @@ describe('urlUtils', function() {
});
it('should check against the list of whitelisted origins', function() {
it('should check against the list of trusted origins', function() {
expect(urlIsAllowedOrigin('https://foo.com/path')).toBe(true);
expect(urlIsAllowedOrigin(origin.protocol + '://bar.com:1337/path')).toBe(true);
expect(urlIsAllowedOrigin('https://baz.com:1337/path')).toBe(false);
+2 -2
View File
@@ -1,6 +1,6 @@
'use strict';
/* globals nodeBlackList false */
/* globals nativeAriaNodeNames false */
describe('$aria', function() {
var scope, $compile, element;
@@ -1064,7 +1064,7 @@ describe('$aria', function() {
);
they('should not prevent default keyboard action if an interactive $type element' +
'is nested inside ng-click', nodeBlackList, function(elementType) {
'is nested inside ng-click', nativeAriaNodeNames, function(elementType) {
function createHTML(type) {
return '<' + type + '></' + type + '>';
}
+1 -1
View File
@@ -803,7 +803,7 @@ describe('$route', function() {
it('should load cross domain templates that are trusted', function() {
module(function($routeProvider, $sceDelegateProvider) {
$routeProvider.when('/foo', { templateUrl: 'http://example.com/foo.html' });
$sceDelegateProvider.resourceUrlWhitelist([/^http:\/\/example\.com\/foo\.html$/]);
$sceDelegateProvider.trustedResourceUrlList([/^http:\/\/example\.com\/foo\.html$/]);
});
inject(function($route, $location, $rootScope) {
+1 -1
View File
@@ -1,6 +1,6 @@
The MIT License
Copyright (c) 2013 Google, Inc. http://angularjs.org
Copyright (c) 2013-2020 Google LLC. http://angularjs.org
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
+1736 -1086
View File
File diff suppressed because it is too large Load Diff