Commit Graph

4436 Commits

Author SHA1 Message Date
Martin Probst cf73ad7c8f chore(security): document sanitization breaking change.
Sanitizing style and URL values breaks specific patterns, see #8491 for
an example. This documents and acknowledges the breaking change while we
work on improving CSS sanitization to allow more values through.
2016-05-10 17:36:36 +02:00
Martin Probst 3e68b7eb1f feat(security): warn users when sanitizing in dev mode.
This should help developers to figure out what's going on when the sanitizer
strips some input.

Fixes #8522.
2016-05-09 16:46:31 +02:00
Matias Niemelä 9fbafba993 chore(parsing): change internal usage of `@` to `:` for namespaced values
Closes #8346
2016-05-09 16:20:32 +02:00
Martin Probst 7a524e3deb feat(security): add tests for URL sanitization. 2016-05-09 16:00:24 +02:00
Martin Probst 7b6c4d5acc feat(security): add tests for style sanitisation. 2016-05-09 16:00:24 +02:00
Martin Probst 99c0d503d7 chore(build): run security tests in NodeJS, too. 2016-05-09 16:00:24 +02:00
Martin Probst f86edae9f3 feat(security): add an HTML sanitizer.
This is based on Angular 1's implementation, parsing an HTML document
into an inert DOM Document implementation, and then serializing only
specifically whitelisted elements.

It currently does not support SVG sanitization, all SVG elements are
rejected.

If available, the sanitizer uses the `<template>` HTML element as an
inert container.

Sanitization works client and server-side.

Reviewers: rjamet, tbosch , molnarg , koto

Differential Revision: https://reviews.angular.io/D108
2016-05-09 16:00:24 +02:00
Martin Probst df1b1f6957 feat(security): strip XSSI prefix from XHR responses. 2016-05-05 14:25:44 -07:00
Martin Probst 9099160038 chore: fix comment indent. 2016-05-05 12:46:07 -07:00
Tobias Bosch 119abe7bb9 chore: fail build if a command from tsc-watch fails.
This bug was introduced with eba6e7946d
to integrate the compiler_cli into the build properly.

Closes #8480
2016-05-04 20:30:10 -07:00
Martin Probst 67ed2e2c0a feat(security): fill in missing security contexts.
Reviewers: koto, rjamet, molnarg

Differential Revision: https://reviews.angular.io/D109
2016-05-04 19:28:50 -07:00
Tobias Bosch 6d36a7a45f chore: fix unit tests on node.js
Closes #8476
2016-05-04 18:00:29 -07:00
Tobias Bosch e2b1e1577d fix(core): don’t detach nested view containers when destroying a view
When a view is destroyed, we destroy all
views in view containers and should not detach them. However, previously, we also detached them which lead to problems during the iteration loop.

Closes #8458
Closes #8471

Introduced by 0c600cf6e3
2016-05-04 16:27:20 -07:00
vsavkin b30ddfbfc5 chore(router): clang-format 2016-05-04 15:01:27 -07:00
vsavkin abfb522f83 refactor(router): reuse existing segmentes when constructing new route trees 2016-05-04 14:51:04 -07:00
vsavkin b8136cc26e fix(router): provide a top-level route segment for injection 2016-05-04 14:51:04 -07:00
vsavkin d00b26d941 refactor(router): update link to reuse url segments when possible 2016-05-04 14:51:04 -07:00
vsavkin 12637a761c refactor(router): make names consistent 2016-05-04 14:50:00 -07:00
vsavkin 1a0aea67a0 feat(core): add a component resolver that can load components lazily using system.js 2016-05-04 14:50:00 -07:00
vsavkin 0f1465b899 feat(router): update router to support lazy loading 2016-05-04 14:50:00 -07:00
Tobias Bosch c0cfd3c6ed chore: remove ts-metadata-collector from shrinkwrap
We need to use the locally installed one.

Closes #8467
2016-05-04 12:29:47 -07:00
Tobias Bosch a81923b793 fix(compiler): emit correct types for literal arrays and maps. 2016-05-04 12:14:44 -07:00
Tobias Bosch 7150ace7c7 fix(compiler): support lifecycle hooks in compiler_cli 2016-05-04 12:14:43 -07:00
Tobias Bosch bdce154282 chore: add test script for compiler_cli 2016-05-04 12:14:43 -07:00
Tobias Bosch 5a84048f72 chore: adjust build for `tools/metadata` name change 2016-05-04 12:14:38 -07:00
Tobias Bosch 188bda813e chore: rename `tools/metadata` into `tools/ts-metadata-collector`
Needed to that we can use the locally compiled one during
our tests.
2016-05-04 10:53:28 -07:00
Tobias Bosch 29700aa188 feat(metadata): emit all methods
This is needed to detect lifecycle hooks.
2016-05-04 09:11:04 -07:00
Igor Minar 3229bf1665 docs(changelog): add changelog for rc.1 2016-05-04 01:12:40 -06:00
Igor Minar 52595f52f9 chore: make workaround_empty_observable_list_diff @internal 2016-05-04 01:12:40 -06:00
Tobias Bosch edec158dd8 fix(compiler_cli): allow to use builtin directives like `NgIf`, …
Related to #8448
Closes #8454
2016-05-03 20:49:17 -07:00
Tobias Bosch 0297398f5e chore: clang-format master 2016-05-03 18:56:39 -07:00
Igor Minar 9485f5a813 fix: platform-server should declare it's dependency on parse5 via package.json 2016-05-03 18:07:52 -06:00
Tobias Bosch 8f8c017882 chore: remove angular2-template-compiler from package.json
Closes #8429
2016-05-03 16:25:55 -07:00
Tobias Bosch eba6e7946d refactor(compiler_cli): move it into modules/@angular and integrate properly into the build
This also does no more depend on a version
on npm for the compiler_cli.

Also runs the tests for tools/metadata
2016-05-03 15:57:49 -07:00
Alex Eagle 3cfe281790 fix(tsickle): put the tsickle support code at EOF 2016-05-03 15:15:22 -07:00
Igor Minar 6eac4b68bc build: bump to rc.1 in package.json 2016-05-03 15:28:45 -06:00
Igor Minar fcbfacb6d5 build: do not use tsickle to lower router-deprecated
if we do this, we can break existing code that is inheriting from RouterOutlet and expects the metadata
in the old location
2016-05-03 15:09:35 -06:00
Igor Minar b600915953 build: add licensing preamble to umd bundles 2016-05-03 13:59:30 -06:00
Igor Minar 905f38acb8 build: fix source map paths for npm packages
the bundles have source mpas disabled for now because when we downlevel
the esm bundle to es5 tsc doesn't consider the original source map so
we end up with a source map pointing to the esm bundle instead which is
not useful.
2016-05-03 13:36:33 -06:00
Alex Eagle 38f4c5f155 chore(compiler): update README following package move 2016-05-03 13:26:59 -06:00
Vikram Subramanian 509f4ec611 fix(testing): Check for pending macrotasks in ComponentFixture.whenStable() and ComponentFixture.isStable()
Closes #8389
2016-05-03 11:50:35 -07:00
Felix Itzenplitz 27a7b51d99 fix(docs): upgrade deprecated ngFor-Syntax 2016-05-03 11:49:33 -07:00
Alex Eagle a033f8335b fix(compiler): use rootDirs compilerOption to affect genDir layout.
Also update package.json to something releasable.
2016-05-03 12:41:28 -06:00
vsavkin b98c9e74e1 docs(router): add api docs 2016-05-03 11:35:07 -07:00
vsavkin 9f784dcc5a cleanup(router): fix e2e tests 2016-05-03 10:25:44 -07:00
vsavkin b625f2471a feat(router): make RouterLink accept single values 2016-05-03 10:25:44 -07:00
vsavkin 3aa2606ff1 cleanup(router): make names consistent 2016-05-03 10:25:44 -07:00
vsavkin 89704e0f93 fix(router): add support for ../ 2016-05-03 10:25:44 -07:00
Martin Probst 908a102a87 feat: security implementation in Angular 2.
Summary:
This adds basic security hooks to Angular 2.

* `SecurityContext` is a private API between core, compiler, and
  platform-browser. `SecurityContext` communicates what context a value is used
  in across template parser, compiler, and sanitization at runtime.
* `SanitizationService` is the bare bones interface to sanitize values for a
  particular context.
* `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)`
  determines the security context for an attribute or property (it turns out
  attributes and properties match for the purposes of sanitization).

Based on these hooks:

* `DomSchemaElementRegistry` decides what sanitization applies in a particular
  context.
* `DomSanitizationService` implements `SanitizationService` and adds *Safe
  Value*s, i.e. the ability to mark a value as safe and not requiring further
  sanitization.
* `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively
  (surprise!).

`DomSanitizationService` is the default implementation bound for browser
applications, in the three contexts (browser rendering, web worker rendering,
server side rendering).

BREAKING CHANGES:
*** SECURITY WARNING ***
Angular 2 Release Candidates do not implement proper contextual escaping yet.
Make sure to correctly escape all values that go into the DOM.
*** SECURITY WARNING ***

Reviewers: IgorMinar

Differential Revision: https://reviews.angular.io/D103
2016-05-03 09:21:43 -07:00
Tobias Bosch dd6e0cf1b5 fix(compiler): fix where pipes live
Impure pipes need to live on the view
that used them and need a new instance for
each call site.

Impure pipes need to live on the component view, cached across all child views,
and need a new pure proxy for each for
each call site that lives on the view
of the call site.

Fixes #8408

This bug was introduced not long ago by 152a117d5c
2016-05-03 09:00:23 -07:00