Commit Graph

11 Commits

Author SHA1 Message Date
Victor Berchet 75e6dfb9ab fix(browser): platform code cleanup 2016-05-23 17:57:28 -07:00
Victor Berchet 54f8308999 refactor(browser): merge static & dynamic platforms 2016-05-20 10:48:55 -07:00
Victor Berchet 6e62217b78 fix(WebWorker): remove the platform-browser dependency on compiler 2016-05-18 16:23:09 -07:00
Martin Probst 50c9bed630 feat(security): expose the safe value types.
This allows users to properly type their `SafeHtml`, `SafeStyle`, etc values.

Fixes #8568.
2016-05-15 11:47:06 +02:00
vsavkin 1a0aea67a0 feat(core): add a component resolver that can load components lazily using system.js 2016-05-04 14:50:00 -07:00
Tobias Bosch 7150ace7c7 fix(compiler): support lifecycle hooks in compiler_cli 2016-05-04 12:14:43 -07:00
Martin Probst 908a102a87 feat: security implementation in Angular 2.
Summary:
This adds basic security hooks to Angular 2.

* `SecurityContext` is a private API between core, compiler, and
  platform-browser. `SecurityContext` communicates what context a value is used
  in across template parser, compiler, and sanitization at runtime.
* `SanitizationService` is the bare bones interface to sanitize values for a
  particular context.
* `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)`
  determines the security context for an attribute or property (it turns out
  attributes and properties match for the purposes of sanitization).

Based on these hooks:

* `DomSchemaElementRegistry` decides what sanitization applies in a particular
  context.
* `DomSanitizationService` implements `SanitizationService` and adds *Safe
  Value*s, i.e. the ability to mark a value as safe and not requiring further
  sanitization.
* `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively
  (surprise!).

`DomSanitizationService` is the default implementation bound for browser
applications, in the three contexts (browser rendering, web worker rendering,
server side rendering).

BREAKING CHANGES:
*** SECURITY WARNING ***
Angular 2 Release Candidates do not implement proper contextual escaping yet.
Make sure to correctly escape all values that go into the DOM.
*** SECURITY WARNING ***

Reviewers: IgorMinar

Differential Revision: https://reviews.angular.io/D103
2016-05-03 09:21:43 -07:00
Misko Hevery 107016ec12 chore: router move import changes 2016-05-02 13:27:03 -07:00
Misko Hevery 3e17c99f4e chore: clang-reformat 2016-05-01 22:59:41 -07:00
Igor Minar a66cdb469f repackaging: all the repackaging changes squashed 2016-05-01 20:51:00 -07:00
Igor Minar 505da6c0a8 repackaging: all the file moves 2016-05-01 20:51:00 -07:00