1.5.23 (NES / XLTS) - July 18, 2024
Bug Fixes
- *: preserve license file headers in minified files
-
*: use correct names and versions in
bower.json
files
New Features
-
jqLite: add opt-in mode for compatibility with jQuery v4 via
angular.jqLite_jQueryLt4CompatibilityEnabled()
- See Compatibility with jQuery v4 for more information.
1.5.22 (NES / XLTS) - May 21, 2024
Bug Fixes
-
$compile: always sanitize image sources on
<source>
element- This fixes a Medium Severity Content Spoofing vulnerability (CVE-2024-8373).
-
srcset: prevent bypassing image source sanitization with
(ng(Attr/Prop))Srcset
- This fixes a Medium Severity Content Spoofing vulnerability (CVE-2024-8372).
1.5.21 (NES) - February 6, 2024
Notes
- Repackaging XLTS for AngularJS 1.5 as AngularJS 1.5 NES.
- XLTS merged with HeroDevs in September 2023 and continues to support AngularJS 1.5.x under Never Ending Support (NES).
- AngularJS 1.5 NES v1.5.21 is functionally equivalent to XLTS for AngularJS 1.5 v1.5.19.
1.5.19 (XLTS) - August 18, 2023
Bug Fixes
-
$compile: fix a vulnerable performance issue in ng-srcset parsing
- This fixes a High Severity ReDoS vulnerability (CVE-2024-21490).
- route: suppress warning from CodeQL regarding escaping backslash characters
1.5.18 (XLTS) - August 4, 2023
Bug Fixes
- ngAnimate: make animation duration calculation compatible with CSS Animations Level 2
- browserTrigger: fix focus triggering in IE with jQuery >=3.7.0
- bootstrap: no longer trigger RegExp warning in CodeQL scans
1.5.17 (XLTS) - February 7, 2023
Bug Fixes
-
$resource: improve performance when stripping trailing slashes
- This fixes a Medium Severity ReDoS vulnerability (CVE-2023-26117).
-
Angular:
- collect jQuery nodes between two elements correctly for jQuery v4 preview
- improve performance of regular expression used in angular.copy
- This fixes a Medium Severity ReDoS vulnerability (CVE-2023-26116).
-
input: make URL_REGEXP less ambiguous
- This fixes a Medium Severity ReDoS vulnerability (CVE-2023-26118).
1.5.16 (XLTS) - June 8, 2022
Bug Fixes
-
textarea: avoid interpolating when going back/forward on IE
- This fixes a Medium Severity XSS vulnerability (CVE-2022-25869).
- This fix was cherry-picked from the v1.9.x branch
-
input: prevent browsers from autofilling hidden inputs
- Autofilling with previous values (which will then be $interpolated) could lead to XSS or errors
- This fix was cherry-picked from the v1.8.x branch
New Features
-
Angular: implement angular.version.vendor
- This now holds the value "XLTS.dev" for ease of determining if a supported version of AngularJS is running in a given app
Breaking Changes
-
textarea: Avoid interpolating when going back/forward on IE.
Previously, the HTML contents of<textarea>
elements were interpolated on all browsers. Due to security considerations, the HTML contents of<textarea>
elements are no longer interpolated on Internet Explorer.
If you want to set the<textarea>
element's value by evaluating an AngularJS expression, you can use ng-bind. For example:<!-- Before: -->
<textarea>{{ 1 + 2 }}</textarea>
<!-- After: -->
<textarea ng-bind="1 + 2"></textarea>
1.5.15 (XLTS) - February 7, 2022
This release introduces features and fixes, including breaking changes, related to the $http module that improve security when using JSONP. It also updates the license field in our package.json based on the latest npm documentation.
Bug Fixes
-
$http:
- fix a potential DoS RegExp issue
New Features
-
$http:
- a JSONP callback must be specified by jsonpCallbackParam config
- This fixes a Medium Severity JSONP Callback Attack vulnerability.
- all JSONP requests now require a trusted resource URL
- This fixes a Medium Severity XSS vulnerability.
- a JSONP callback must be specified by jsonpCallbackParam config
Breaking Changes
-
$http: A JSONP callback must be specified by
jsonpCallbackParam
config.
You can no longer use theJSON_CALLBACK
placeholder in your JSONP requests. Instead, you must provide the name of the query parameter that will pass the callback via thejsonpCallbackParam
property of the config object, or app-wide via the$http.defaults.jsonpCallbackParam
property, which is"callback"
by default.Before this change:After this change:
-
$http: All JSONP requests now require a trusted resource URL.
All JSONP requests now require the URL to be trusted as resource URLs. There are two approaches to trust a URL:
Whitelisting with the$sceDelegateProvider.resourceUrlWhitelist()
method
You configure this list in a module configuration block:Explicitly trusting the URL via the
$sce.trustAsResourceUrl(url)
methodYou can pass a trusted object instead of a string as a URL to the
$http
service:
With this release, we have completed the process of back-porting all the security fixes from AngularJS 1.8.2 to XLTS for AngularJS 1.5.x.
1.5.14 (XLTS) - December 3, 2021
Bug Fixes
-
$sanitize:
- do not trigger CSP alert/report in Firefox and Chrome
- sanitize
xml:base
attributes- This fixes a Medium Severity XSS vulnerability.
- use appropriate inert document strategy for Firefox and Safari
- This fixes a Medium Severity XSS vulnerability.
- prevent clobbered elements from freezing the browser
- This fixes a Medium Severity Denial of Service vulnerability.
- Angular: avoid catastrophic backtracking in XHTML_TAG_REGEXP
- jqLite: define jqLite.htmlPrefilter inline
-
angular.merge: do not merge proto property
- This fixes a High Severity vulnerability associated with CVE-2019-10768
1.5.13 (XLTS) - August 20, 2021
Bug Fixes
-
jqLite: prevent possible XSS due to regex-based HTML replacement
- This fixes Medium Severity and High Severity vulnerabilities associated with CVE-2020-7676.
- This fix was cherry-picked from the v1.8.x branch.
-
docs: remove extra
.
in error link URLs
New Features
- jqLite: print warnings for problematic HTML input
Breaking Changes
-
jqLite due to:
- jqLite: prevent possible XSS due to regex-based HTML replacement
- See https://jquery.com/upgrade-guide/3.5/
This applies a similar change to jqLite. Using self-closing tags in HTML is no longer supported.
1.5.12 (XLTS) - August 1, 2021
This is the first XLTS for AngularJS 1.5.x release! 🚀
As such, there have been updates to the License and the Security Policy. New security issues should be sent to security@xlts.dev.
Bug Fixes
-
sanitizeUri: sanitize URIs that contain IDEOGRAPHIC SPACE chars
- This is a Medium Severity Security fix for a XSS vulnerability in Chrome 62 and earlier.
- This fix was cherry-picked from the v1.7.x branch.
- jqlite: nosel error points to an invalid URL
-
$interpolate: fix docs URL in
noconcat
error -
$sce: fix docs URL in
iequirks
error -
misc:
- update error reference links to use code.angularjs.xlts.dev
- fix 28 security warnings in build, test, and release tooling
- browserTrigger: support CompositionEvent
- grunt-utils: insert the core CSS styles without using innerHTML
-
Angular:
- add workaround for Safari / Webdriver problem
- do not auto bootstrap if the
src
exists but is empty - do not auto bootstrap if the currentScript has been clobbered
- do not auto bootstrap if the script source is bad and inside SVG
- minErr: update url to https
-
docs:
- linting cleanup of the web worker used for search
- fix
@media
breakpoints for small/extra small devices
- ngScenario: completely remove the angular scenario runner
Breaking Changes
-
ngScenario: Completely remove the angular scenario runner.
The angular scenario runner end-to-end test framework has been removed from the project and will no longer be available on npm starting with 1.5.12.
It was deprecated and removed from the documentation in 2014. Applications that still use it should migrate to Protractor or another e2e testing framework.