fix(core): fix possible XSS attack in development through SSR#40525
Closed
mhevery wants to merge 1 commit intoangular:masterfrom
Closed
fix(core): fix possible XSS attack in development through SSR#40525mhevery wants to merge 1 commit intoangular:masterfrom
mhevery wants to merge 1 commit intoangular:masterfrom
Conversation
mhevery
added
the
area: security
mhevery
added
area: core
Contributor
Author
IgorMinar
approved these changes
Jan 22, 2021
Contributor
IgorMinar
left a comment
IgorMinar
left a comment
There was a problem hiding this comment.
LGTM, with a few nits. Can you please rework the tests to be more clear and have better coverage? thanks
IgorMinar
added
the
action: cleanup
Contributor
|
and the CI seems unhappy, PTAL |
IgorMinar
reviewed
Jan 22, 2021
mhevery
removed
the
action: cleanup
IgorMinar
approved these changes
Jan 22, 2021
Contributor
IgorMinar
left a comment
IgorMinar
left a comment
There was a problem hiding this comment.
thanks for the updates!
jessicajaniuk
pushed a commit
that referenced
this pull request
Jan 22, 2021
This is a follow up fix for 894286d. It turns out that comments can be closed in several ways: - `<!-->` - `<!-- -->` - `<!-- --!>` All of the above are valid ways to close comment per: https://html.spec.whatwg.org/multipage/syntax.html#comments The new fix surrounds `<` and `>` with zero width space so that it renders in the same way, but it prevents the comment to be closed eagerly. PR Close #40525
jessicajaniuk
pushed a commit
to jessicajaniuk/angular
that referenced
this pull request
Jan 23, 2021
…angular#40525)" This reverts commit bb3b315. Reason for Revert: Issues with Google3 TAP Failures
jessicajaniuk
pushed a commit
that referenced
this pull request
Jan 23, 2021
jessicajaniuk
pushed a commit
that referenced
this pull request
Jan 23, 2021
Contributor
|
We had to rollback this due to legitimate failing targets in google3. Please take a look. |
AndrewKushnir
added
state: blocked
and removed
action: merge
gkalpak
reviewed
Jan 23, 2021
Contributor
Author
This is a follow up fix for angular@894286d. It turns out that comments can be closed in several ways: - `<!-->` - `<!-- -->` - `<!-- --!>` All of the above are valid ways to close comment per: https://html.spec.whatwg.org/multipage/syntax.html#comments The new fix surrounds `<` and `>` with zero width space so that it renders in the same way, but it prevents the comment to be closed eagerly.
jessicajaniuk
pushed a commit
that referenced
this pull request
Jan 26, 2021
This is a follow up fix for 894286d. It turns out that comments can be closed in several ways: - `<!-->` - `<!-- -->` - `<!-- --!>` All of the above are valid ways to close comment per: https://html.spec.whatwg.org/multipage/syntax.html#comments The new fix surrounds `<` and `>` with zero width space so that it renders in the same way, but it prevents the comment to be closed eagerly. PR Close #40525
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
mhevery
added a commit
that referenced
this pull request
Mar 18, 2021
This is a follow up fix for 894286d. It turns out that comments can be closed in several ways: - `<!-->` - `<!-- -->` - `<!-- --!>` All of the above are valid ways to close comment per: https://html.spec.whatwg.org/multipage/syntax.html#comments The new fix surrounds `<` and `>` with zero width space so that it renders in the same way, but it prevents the comment to be closed eagerly. PR Close #40525
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a follow up fix for 894286d.
It turns out that comments can be closed in several ways:
<!--><!-- --><!-- --!>All of the above are valid ways to close comment per:
https://html.spec.whatwg.org/multipage/syntax.html#comments
The new fix surrounds
<and>with zero width space so that itrenders in the same way, but it prevents the comment to be closed eagerly.
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
Issue Number: N/A
What is the new behavior?
Does this PR introduce a breaking change?
Other information