-
Notifications
You must be signed in to change notification settings - Fork 24.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(compiler): adding the inert property to the "SCHEMA" array #53148
Conversation
Cf the file header
I'm marking it as blocked until this is done. |
@@ -31,6 +31,7 @@ export function SECURITY_SCHEMA(): {[k: string]: SecurityContext} { | |||
'iframe|srcdoc', | |||
'*|innerHTML', | |||
'*|outerHTML', | |||
'*|inert', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is needed; inert
is not a property that needs an HTML security context.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1, this should be removed.
JeanMeche said: // DO NOT EDIT THIS HOUSE DIAGRAM WITHOUT A SECURITY CHECK! I mark it as blocked until this is done." Should I leave the "inert" attribute in the security context or is it not needed? |
The intent of that comment is to make people aware of potential security implications of the schema definitions. For example, Angular must sanitize data when binding to the Hence, changes to the schema require a security review to avoid mistakenly introducing a vulnerability in the framework. For |
How to reach out to mbprost & rjamet for details? |
Ah, that comment is out of date (mbprost & rjamet aren't involved with Angular any longer). @bjarkler I believe LGTM insofar as adding |
LGTM, thanks! |
Thanks for your feedback! |
Could you please squash the commits? The revert won't be auto squashed otherwise |
Yes, sure |
Looks like something went wrong, there's now five commits. |
21b3336
to
db9a4ad
Compare
This change allows template binding "inert" attribute with the following syntax: [inert]="isInert" Fixes #51879 fixup! fix(compiler): adding the inert property to the "SCHEMA" array revert: "fixup! fix(compiler): adding the inert property to the "SCHEMA" array" This reverts commit b637b7c. This commit is being reverted because the inert property is safe as a boolean attribute
db9a4ad
to
ad4bad5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the updates!
And thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Reviewed-for: fw-security
39522b0
to
ad4bad5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Reviewed-for: fw-security
This PR was merged into the repository by commit dba3e0b. |
This change allows template binding "inert" attribute with the following syntax: [inert]="isInert" Fixes #51879 fixup! fix(compiler): adding the inert property to the "SCHEMA" array revert: "fixup! fix(compiler): adding the inert property to the "SCHEMA" array" This reverts commit b637b7c. This commit is being reverted because the inert property is safe as a boolean attribute PR Close #53148
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
This change allows template binding "inert" attribute with the following syntax: [inert]="isInert"
Fixes #51879
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
Issue Number: #51879
What is the new behavior?
Possibility of template binding of the inert attribute with the following syntax: [inert]="isInert"
Does this PR introduce a breaking change?
Other information