v22.0.0-rc.2
📦 angularView on GitHub →
🐛 18 fixes🔧 3 symbols
Summary
This release focuses heavily on security fixes, particularly around sanitization of tags, attributes, and SSRF prevention. Several subscription leaks in core and http modules were also resolved.
🐛 Bug Fixes
- Added upper bounds for digitsInfo in common.
- Sanitized placeholder in common.
- Normalized tag names with custom namespaces in DomElementSchemaRegistry in compiler.
- Prevented namespaced SVG <style> elements from being stripped in compiler.
- Sanitized dynamic href and xlink:href bindings on SVG a elements in compiler.
- Stopped registering dom triggers when defer blocks are in manual mode in core.
- Normalized tag names in runtime i18n attribute security context lookup in core.
- Prevented rxResource from leaking a subscription in core.
- Sanitized meta selectors in core.
- Avoided redundant invalidations in parser errors signal in forms (performance improvement).
- Excluded withCredentials requests from transfer cache in http.
- Introduced a max buffer size for fetch requests on SSR in http.
- Prevented httpResource from leaking a subscription in http.
- Skipped TransferCache for cookie-bearing requests by default in http.
- Prevented SSRF bypasses via backslash URLs in HttpClient in platform-server.
- Secured location and document initialization against SSRF and path hijack in platform-server.
- Preserved explicit 'credentials: omit' in asset requests in service-worker.
- Preserved HTTP cache mode in asset group requests in service-worker.