rodyhaddad 67688d5ca0 fix($sanitize): disallow unsafe svg animation tags
After #11124 got merged, a security vulnerability got introduced.
Animation in SVG became tolerated by the sanitizer.

Exploit Example:
```
<svg>
  <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?">
    <circle r="400"></circle>
    <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" />
  </a>
</svg>
```

Here we are animating an anchor's href, starting from a value that's a javascript URI,
allowing the executing of arbitrary javascript in the process.

Preventing only the animation of links is tricky, as SVG is weird and namespaces aren't predictable.
We've decided to have the sanitizer filter out svg animation tags instead.

Considering the sanitizer is commonly used to sanitize untrusted HTML code, this shouldn't affect
many apps in the wild. Also, no release has been with #11124 in it, but not this fix.

Closes #11290
2015-03-15 20:39:45 +00:00
2015-03-13 09:35:17 -07:00
2010-10-29 10:47:06 -07:00
2014-09-08 12:05:11 +01:00
2015-01-11 10:54:42 +01:00
2014-09-22 11:40:30 -07:00

AngularJS Build Status

AngularJS lets you write client-side web applications as if you had a smarter browser. It lets you use good old HTML (or HAML, Jade and friends!) as your template language and lets you extend HTMLs syntax to express your applications components clearly and succinctly. It automatically synchronizes data from your UI (view) with your JavaScript objects (model) through 2-way data binding. To help you structure your application better and make it easy to test, AngularJS teaches the browser how to do dependency injection and inversion of control.

Oh yeah and it helps with server-side communication, taming async callbacks with promises and deferreds. It also makes client-side navigation and deeplinking with hashbang urls or HTML5 pushState a piece of cake. The best of all: it makes development fun!

Building AngularJS

Once you have your environment setup just run:

grunt package

Running Tests

To execute all unit tests, use:

grunt test:unit

To execute end-to-end (e2e) tests, use:

grunt package
grunt test:e2e

To learn more about the grunt tasks, run grunt --help and also read our contribution guidelines.

Analytics

S
Description
AngularJS - HTML enhanced for web apps!
Readme MIT 210 MiB
Languages
JavaScript 98.2%
HTML 1.2%
Shell 0.5%
PHP 0.1%