There is no need to expose this additional method inside of the Renderer
API. The functionality can be restored by looping and calling
`setElementStyle` instead.
Note that this change is changing code that was was introduced after
the last release therefore this fix is not a breaking change.
Closes#9000Closes#9009
Automatically recognize XSRF protection cookies, and set a corresponding XSRF
header. Allows applications to configure the cookie names, or if needed,
completely override the XSRF request configuration by binding their own
XSRFHandler implementation.
Part of #8511.
Allows sanitized URLs for CSS properties. These can be abused for information
leakage, but only if the CSS rules are already set up to allow for it. That is,
an attacker cannot cause information leakage without controlling the style rules
present, or a very particular setup.
Fixes#8514.
This is based on Angular 1's implementation, parsing an HTML document
into an inert DOM Document implementation, and then serializing only
specifically whitelisted elements.
It currently does not support SVG sanitization, all SVG elements are
rejected.
If available, the sanitizer uses the `<template>` HTML element as an
inert container.
Sanitization works client and server-side.
Reviewers: rjamet, tbosch , molnarg , koto
Differential Revision: https://reviews.angular.io/D108
Matias Niemelä
Victor Berchet
Vikram Subramanian
Martin Probst
Alfonso Presa
Marc Laval
Misko Hevery
Igor Minar