fix(compiler): adding the inert property to the "SCHEMA" array

[physicx237]

This change allows template binding "inert" attribute with the following syntax: [inert]="isInert"

Fixes #51879

PR Checklist

Please check if your PR fulfills the following requirements:

• The commit message follows our guidelines: https://github.com/angular/angular/blob/main/CONTRIBUTING.md#commit
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

• Bugfix
• Feature
• Code style update (formatting, local variables)
• Refactoring (no functional changes, no api changes)
• Build related changes
• CI related changes
• Documentation content changes
• angular.io application / infrastructure changes
• Other... Please describe:

What is the current behavior?

Issue Number: #51879

What is the new behavior?

Possibility of template binding of the inert attribute with the following syntax: [inert]="isInert"

Does this PR introduce a breaking change?

• Yes
• No

Other information

[JeanMeche]

Cf the file header

// DO NOT EDIT THIS DOM SCHEMA WITHOUT A SECURITY REVIEW!
//
// Newly added properties must be security reviewed and assigned an appropriate SecurityContext in
// dom_security_schema.ts. Reach out to mprobst & rjamet for details.

I'm marking it as blocked until this is done.

[JoostK]

I don't think this is needed; inert is not a property that needs an HTML security context.

[bjarkler]

+1, this should be removed.

[physicx237]

JeanMeche said:
"See file header

// DO NOT EDIT THIS HOUSE DIAGRAM WITHOUT A SECURITY CHECK!
//
// Newly added properties must be security checked and match the corresponding SecurityContext in
// dom_security_schema.ts. More information on the mprost & rjamet website.

I mark it as blocked until this is done."

Should I leave the "inert" attribute in the security context or is it not needed?
What's the best way to proceed?

[JoostK]

The intent of that comment is to make people aware of potential security implications of the schema definitions. For example, Angular must sanitize data when binding to the innerHTML property, but not when binding to the inert property since that will only be interpreted as boolean value, not rendered as HTML.

Hence, changes to the schema require a security review to avoid mistakenly introducing a vulnerability in the framework. For inert though, I cannot think of a reason why it would be security sensitive.

[physicx237]

Cf the file header

// DO NOT EDIT THIS DOM SCHEMA WITHOUT A SECURITY REVIEW!
//
// Newly added properties must be security reviewed and assigned an appropriate SecurityContext in
// dom_security_schema.ts. Reach out to mprobst & rjamet for details.

I'm marking it as blocked until this is done.

How to reach out to mbprost & rjamet for details?

[jelbourn]

Ah, that comment is out of date (mbprost & rjamet aren't involved with Angular any longer). @bjarkler I believe inert should be completely safe here as a boolean attribute, but I'll add you for FYI anyway since it's part of the process for changing the schema.

LGTM insofar as adding inert in general, just need to address the comments from @JoostK

[bjarkler]

LGTM, thanks!

[physicx237]

Thanks for your feedback!

[JoostK]

Could you please squash the commits? The revert won't be auto squashed otherwise

[physicx237]

Yes, sure

[JoostK]

Looks like something went wrong, there's now five commits.

[JoostK]

Thanks for the updates!

[physicx237]

And thank you!

[jelbourn]

LGTM

Reviewed-for: fw-security

[pkozlowski-opensource]

LGTM

Reviewed-for: fw-security

[alxhub]

This PR was merged into the repository by commit dba3e0b.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}