v20.3.22
📦 angularView on GitHub →
🐛 16 fixes🔧 1 symbols
Summary
This release focuses heavily on security improvements across multiple packages, including sanitization of various bindings, tag names, and protection against SSRF. Several fixes were also applied to HTTP transfer cache behavior and service worker asset handling.
🐛 Bug Fixes
- Added upper bounds for digitsInfo in common.
- Sanitized placeholder in common.
- Normalized tag names with custom namespaces in DomElementSchemaRegistry (compiler).
- Sanitized dynamic href and xlink:href bindings on SVG a elements (compiler).
- Stripped namespaced SVG script elements during template compilation (compiler).
- Normalized tag names in runtime i18n attribute security context lookup (core).
- Rejected script element as a dynamic component host (core).
- Sanitized meta selectors (core).
- Supported prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (core).
- Synchronized core sanitization schema with compiler (core).
- Excluded withCredentials requests from transfer cache (http).
- Skipped TransferCache for cookie-bearing requests by default (http).
- Secured location and document initialization against SSRF and path hijack (platform-server).
- Preserved redirect policy on reconstructed asset requests (service-worker).
- Preserved explicit 'credentials: omit' in asset requests (service-worker).
- Preserved HTTP cache mode in asset group requests (service-worker).