chore(security): document sanitization breaking change.

Sanitizing style and URL values breaks specific patterns, see #8491 for an example. This documents and acknowledges the breaking change while we work on improving CSS sanitization to allow more values through.
2016-05-06 07:57:30 -07:00 · 2016-05-06 07:57:30 -07:00 · cf73ad7c8f
parent 3e68b7eb1f
commit cf73ad7c8f
1 changed files with 20 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,19 @@
+<a name="2.0.0-rc.2"></a>
+### OTHER BREAKING CHANGES
+
+- HTML, style values, and URLs are now automatically sanitized. Values that do not match are escaped
+  or ignored. When binding a URL or style property that would get ignored, bind to a value
+  explicitly marked as safe instead by injection the DOM sanitization service:
+  ```
+  class MyComponent {
+    constructor(sanitizer: DomSanitizationService) {
+      // ONLY DO THIS FOR VALUES YOU KNOW TO BE SAFE! NEVER ALLOW USER DATA IN THIS!
+      this.safeStyleValue = sanitizer.bypassSecurityTrustStyle('rotate(90deg)');
+      // then bind to `safeStyleValue` in your template.
+    }
+  }
+  ```
+
 <a name="2.0.0-rc.1"></a>
 # 2.0.0-rc.1 (2016-05-03)