v21.2.15
📦 angularView on GitHub →
🐛 16 fixes🔧 2 symbols
Summary
This release focuses heavily on security enhancements across multiple areas, including sanitization improvements in the compiler and core, and preventing SSRF bypasses in platform-server. HTTP client and service worker logic also received fixes related to caching and credentials handling.
🐛 Bug Fixes
- Added upper bounds for digitsInfo in common.
- Sanitized placeholder in common.
- Normalized tag names with custom namespaces in DomElementSchemaRegistry (compiler).
- Prevented namespaced SVG <style> elements from being stripped (compiler).
- Sanitized dynamic href and xlink:href bindings on SVG a elements (compiler).
- Stripped namespaced SVG script elements during template compilation (compiler).
- Normalized tag names in runtime i18n attribute security context lookup (core).
- Sanitized meta selectors (core).
- Supported prefix-insensitive DOM schema lookups and compile-time i18n attribute validation (core).
- Synchronized core sanitization schema with compiler (core).
- Excluded withCredentials requests from transfer cache (http).
- Skipped TransferCache for cookie-bearing requests by default (http).
- Prevented SSRF bypasses via backslash URLs in HttpClient (platform-server).
- Secured location and document initialization against SSRF and path hijack (platform-server).
- Preserved explicit 'credentials: omit' in asset requests (service-worker).
- Preserved HTTP cache mode in asset group requests (service-worker).