mirror of
https://github.com/Hopiu/angular.js.git
synced 2026-03-24 10:20:23 +00:00
4fdab37659
Sanitization works in two phases:
1) We parse the HTML into sax-like events (start, end, chars).
HTML parsing is very complex, and so it may very well be that what
most browser consider valid HTML may not pares properly here,
but we do best effort. We treat this parser as untrusted.
2) We have safe sanitizeWriter which treats its input (start, end, chars)
as untrusted content and escapes everything. It only allows elements
in the whitelist and only allows attributes which are whitelisted.
Any attribute value must not start with 'javascript:'. This check
is performed after escaping for entity (&xAB; etc..) and ignoring
any whitespace.
- Correct linky filter to use safeHtmlWriter
- Correct html filter to use safeHtmlWriter
Close #33; Close #34
1.1 KiB
1.1 KiB
0.9.1 repulsion-field (in-progress)
Breaking changes
- $cookieStore service is not globally published any more, if you use it, you must request it via $inject as any other non-global service
- html filter now sanitizes html content for XSS attacks which may result in different behavior
0.9.0 dragon-breath (2010-10-20)
Security
- angular.fromJson not safer (issue #57)
- readString consumes invalid escapes (issue #56)
- use new Function instead of eval (issue #52)
Speed
- css cleanup + inline all css and images in the main js (issue #64)
Testability
- initial version of the built-in end-to-end scenario runner (issues #50, #67, #70)
API
- allow ng:controller nesting (issue #39)
- new built-in date format filter (issue #45)
- $location needs method you call on updates (issue #32)
Chores
- release versioning + file renaming (issue #69)
Breaking changes
- $location.parse was replaced with $location.update
- all css and img files were inlined into the main js file, to support IE7 and older app must host angular-ie-compat.js file
Big Thanks to Our Community Contributors
- Vojta Jina