- many entry points were previously missing (e.g. all testing entry points, http, etc)
- upgrade ts-api-guardian to 0.0.3 that adds support for more api surface
- add all info to the spec that was surfaced by ts-api-guardian@0.0.3
This ensures we run in a clean directory, using our real distribution. It finds bugs like @internal
APIs needed to type-check in the offline compiler, as well as problems in package.json.
Also move tsc-wrapped under tools/@angular
This allows angular's build to depend on some extensions, but not on code generation, and breaks a cycle in the angular build
We now merge ts-metadata-collector into tsc-wrapped and stop publishing the former.
Added and used the cors middleware:
- add the module as a dev depedency in the package.json file
- require the module in the jsserve.js file
- add the module in the middleware list
Closes#7273Closes#7274
Summary:
This adds basic security hooks to Angular 2.
* `SecurityContext` is a private API between core, compiler, and
platform-browser. `SecurityContext` communicates what context a value is used
in across template parser, compiler, and sanitization at runtime.
* `SanitizationService` is the bare bones interface to sanitize values for a
particular context.
* `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)`
determines the security context for an attribute or property (it turns out
attributes and properties match for the purposes of sanitization).
Based on these hooks:
* `DomSchemaElementRegistry` decides what sanitization applies in a particular
context.
* `DomSanitizationService` implements `SanitizationService` and adds *Safe
Value*s, i.e. the ability to mark a value as safe and not requiring further
sanitization.
* `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively
(surprise!).
`DomSanitizationService` is the default implementation bound for browser
applications, in the three contexts (browser rendering, web worker rendering,
server side rendering).
BREAKING CHANGES:
*** SECURITY WARNING ***
Angular 2 Release Candidates do not implement proper contextual escaping yet.
Make sure to correctly escape all values that go into the DOM.
*** SECURITY WARNING ***
Reviewers: IgorMinar
Differential Revision: https://reviews.angular.io/D103
Also add a configuration switch to disable the codegen, so we can
still use the metadata emit and tsickle pre-processing in the
build pipeline for angular itself.
Igor Minar
Alex Eagle
laco0416
Suguru Inatomi
Anton Moiseev
Victor Berchet
Misko Hevery
Matias Niemelä
Alex Eagle
Felix Itzenplitz
Thierry Templier
Tero Parviainen
Pawel Kozlowski
Martin Probst
Tobias Bosch