Summary:
This adds basic security hooks to Angular 2.
* `SecurityContext` is a private API between core, compiler, and
platform-browser. `SecurityContext` communicates what context a value is used
in across template parser, compiler, and sanitization at runtime.
* `SanitizationService` is the bare bones interface to sanitize values for a
particular context.
* `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)`
determines the security context for an attribute or property (it turns out
attributes and properties match for the purposes of sanitization).
Based on these hooks:
* `DomSchemaElementRegistry` decides what sanitization applies in a particular
context.
* `DomSanitizationService` implements `SanitizationService` and adds *Safe
Value*s, i.e. the ability to mark a value as safe and not requiring further
sanitization.
* `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively
(surprise!).
`DomSanitizationService` is the default implementation bound for browser
applications, in the three contexts (browser rendering, web worker rendering,
server side rendering).
BREAKING CHANGES:
*** SECURITY WARNING ***
Angular 2 Release Candidates do not implement proper contextual escaping yet.
Make sure to correctly escape all values that go into the DOM.
*** SECURITY WARNING ***
Reviewers: IgorMinar
Differential Revision: https://reviews.angular.io/D103
Also add a configuration switch to disable the codegen, so we can
still use the metadata emit and tsickle pre-processing in the
build pipeline for angular itself.
Before, we would create all fields in the generated views
with visibility `private`. This does not work if an embedded
view references a directive / element in a parent view.
In Dart, this was no problem so far as it does not have
a `private` modifier.
Before, `useValue` in a provider did not work when doing
offline compile, as so far the `MetadataResolver` was only
used for jit mode. Now, `useValue` supports any kind of value
that the static reflector can return. E.g. primitives,
arrays, string maps, …
Closes#8366
Most of the bugs discovered so far in the offline compiler were related to the StaticReflector. As it was part of angular2 core, it was hard to update. Moving it into the compiler_cli allows to release more often until the compiler_cli gets more stable.
Note: Moving the unit test next to the sources is the simplest option for now in terms of build setup.
Note: This commit only does the move. The next commit updates the build to run it again.
BREAKING CHANGE:
- ViewRef.changeDetectorRef was removed as using ChangeDetectorRefs
for EmbeddedViewRefs does not make sense. Use ComponentRef.changeDetectorRef
or inject ChangeDetectorRef instead.
Fixes#8242
BREAKING CHANGE:
- Before, a `EmbeddedViewRef` used to have methods for
setting variables. Now, a user has to pass in a context
object that represents all variables when an `EmbeddedViewRef`
should be created.
- `ViewContainerRef.createEmbeddedViewRef` now takes
a context object as 2nd argument.
- `EmbeddedViewRef.setLocal` and `getLocal` have been removed.
Use `EmbeddedViewRef.context` to access the context.
- `DebugNode.locals` has been removed. Use the new methods `DebugElement.references`
to get the references that are present on this element,
or `DebugElement.context` to get the context of the `EmbeddedViewRef` or the component to which the element belongs.
Closes#8321
The filename contains the module name as resolved by users, so the top-level module name is uneeded.
Module names on references are replaced by capturing the import syntax from the module.
This allows readers of the metadata to do the module resolution themselves.
Fixes#8225Fixes#8082Closes#8256
Introduces `ref-` to give a name to an element or a directive (also works for `<template>` elements), and `let-` to introduce an input variable for a `<template>` element.
BREAKING CHANGE:
- `#...` now always means `ref-`.
- `<template #abc>` now defines a reference to the TemplateRef, instead of an input variable used inside of the template.
- `#...` inside of a *ngIf, … directives is deprecated.
Use `let …` instead.
- `var-...` is deprecated. Replace with `let-...` for `<template>` elements and `ref-` for non `<template>` elements.
Closes#7158Closes#8264
Pure pipes as well as arrays and maps are
implemented via proxy functions. This is
faster than the previous implementation
and also generates less code.
BREAKING CHANGE:
- pipes now take a variable number of arguments, and not an array that contains all arguments.
Update the version of zone.js to @0.6.12 that contains the new FakeAsyncTestZoneSpec.
The new fakeAsync zone handles errors better and clearPendingTimers() is no longer required to be called after handling an error and is deprecated.
The fakeAsync test zone will now throw an error if an XHR is attemtped within the test since that cannot be controlled synchronously in the test(Need to be mocked out with a service implementation that doesn't involve XHRs).
This commit also allows fakeAsync to wrap inject to make it consistent with async test zone.
BREAKING CHANGE:
inject can no longer wrap fakeAsync while fakeAsync can wrap inject. So the order in existing tests with inject and fakeAsync has to be switched as follows:
Before:
```
inject([...], fakeAsync((...) => {...}))
```
After:
```
fakeAsync(inject([...], (...) => {...}))
```
Closes#8142
This changes Angular so that it can be used without reflection (assuming a codegen for injectors).
BREAKIKNG CHANGE:
- Drops `APP_COMPONENT` provider. Instead, inject
`ApplicationRef` and read its `componentTypes` property.
- long form bootstrap has changed into the following:
```
var platform = createPlatform(ReflectiveInjector.resolveAndCreate(BROWSER_PROVIDERS));
var appInjector =
ReflectiveInjector.resolveAndCreate([BROWSER_APP_PROVIDERS, appProviders], platform.injector);
coreLoadAndBootstrap(appInjector, MyApp);
```
BREAKING CHANGE:
- Injector was renamed into `ReflectiveInjector`,
as `Injector` is only an abstract class with one method on it
- `Injector.getOptional()` was changed into `Injector.get(token, notFoundValue)`
to make implementing injectors simpler
- `ViewContainerRef.createComponent` now takes an `Injector`
instead of `ResolvedProviders`. If a reflective injector
should be used, create one before calling this method.
(e.g. via `ReflectiveInjector.resolveAndCreate(…)`.
This adds the feature for `@ViewChild`/`@ViewChildren`/`@ContentChild`/`@ContentChildren` to define what to read from the queried element.
E.g. `@ViewChild(`someVar`, read: ViewContainerRef)` will locate the element with a variable `someVar` on it and return a `ViewContainerRef` for it.
Background: With this change, Angular knows exactly at which elements there will be `ViewConainerRef`s as the user has to ask explicitly of them. This simplifies codegen and will make converting Angular templates into server side templates simpler as well.
BREAKING CHANGE:
- `DynamicComponentLoader.loadIntoLocation` has been removed. Use `@ViewChild(‘myVar’, read: ViewContainerRef)` to get hold of a `ViewContainerRef` at an element with variable `myVar`.
- `DynamicComponentLoader.loadNextToLocation` now takes a `ViewContainerRef` instead of an `ElementRef`.
- `AppViewManager` is renamed into `ViewUtils` and is a mere private utility service.
Each compile template now exposes a `<CompName>NgFactory` variable
with an instance of a `ComponentFactory`.
Calling `ComponentFactory.create` returns a `ComponentRef` that can
be used directly.
BREAKING CHANGE:
- `Compiler` is renamed to `ComponentResolver`,
`Compiler.compileInHost` has been renamed to `ComponentResolver.resolveComponent`.
- `ComponentRef.dispose` is renamed to `ComponentRef.destroy`
- `ViewContainerRef.createHostView` is renamed to `ViewContainerRef.createComponent`
- `ComponentFixture_` has been removed, the class `ComponentFixture`
can now be created directly as it is no more using private APIs.
Instead of using injectAsync and returning a promise, use the `async` function
to wrap tests. This will run the test inside a zone which does not complete
the test until all asynchronous tasks have been completed.
`async` may be used with the `inject` function, or separately.
BREAKING CHANGE:
`injectAsync` is now deprecated. Instead, use the `async` function
to wrap any asynchronous tests.
Before:
```
it('should wait for returned promises', injectAsync([FancyService], (service) => {
return service.getAsyncValue().then((value) => { expect(value).toEqual('async value'); });
}));
it('should wait for returned promises', injectAsync([], () => {
return somePromise.then(() => { expect(true).toEqual(true); });
}));
```
After:
```
it('should wait for returned promises', async(inject([FancyService], (service) => {
service.getAsyncValue().then((value) => { expect(value).toEqual('async value'); });
})));
// Note that if there is no injection, we no longer need `inject` OR `injectAsync`.
it('should wait for returned promises', async(() => {
somePromise.then() => { expect(true).toEqual(true); });
}));
```
Closes#7735
BREAKING CHANGE:
- Renderer:
* renderComponent method is removed form `Renderer`, only present on `RootRenderer`
* Renderer.setDebugInfo is removed. Renderer.createElement / createText / createTemplateAnchor
now take the DebugInfo directly.
- Query semantics:
* Queries don't work with dynamically loaded components.
* e.g. for router-outlet: loaded components can't be queries via @ViewQuery,
but router-outlet emits an event `activate` now that emits the activated component
- Exception classes and the context inside changed (renamed fields)
- DebugElement.attributes is an Object and not a Map in JS any more
- ChangeDetectorGenConfig was renamed into CompilerConfig
- AppViewManager.createEmbeddedViewInContainer / AppViewManager.createHostViewInContainer
are removed, use the methods in ViewContainerRef instead
- Change detection order changed:
* 1. dirty check component inputs
* 2. dirty check content children
* 3. update render nodes
Closes#6301Closes#6567
To workaround https://github.com/Microsoft/TypeScript/issues/7573
we must remove the readonly keyword from generated .d.ts files.
This solution will not scale, but will probably buy enough time to require our users move to a 2.0 beta.
Closes#8003
process.env.TRAVIS_PULL_REQUEST contains a string and not a boolean value, so we need
to compare it to a string literal rather than do boolean arithmetics.
Instead of running with karma and the karma-dart shim, run dart
tests directly using the new package:test runner. This migrates
away from package:unittest.
Fixes a couple tests, mostly associated with depending on absolute
URLs or editing the test providers after an injector had already
been created.
Remove karma-dart and associated files. Change gupfiles to run tests
via `pub run test` instead.
@petebacondarwin deserves credit for most of this commit.
This allows you to specify a regex and serializer function instead
of the path DSL in your route declaration.
```
@RouteConfig([
{ regex: '[a-z]+.[0-9]+',
serializer: (params) => `{params.a}.params.b}`,
component: MyComponent }
])
class Component {}
```
Closes#7325Closes#7126
BREAKING CHANGE:
`OnPushObserve` was an experimental
feature for Dart and had
conceptual performance problems,
as setting up observables is slow.
Use `OnPush` instead.
BREAKING CHANGE:
In Dart we used to support injecting types with generics. As this feature is hard to implement with the upcoming codegen we are dropping it.
Merge cl/115454020 in G3 with this change.
Closes#7262
add commonly used pipe that is missing from framework.
feat(pipes): add ReplacePipe for string manipulation
add commonly used pipe that is missing from framework.
feat(pipes): add ReplacePipe for string manipulation
add commonly used pipe that is missing from framework.
feat(pipes): add ReplacePipe for string manipulation
add commonly used pipe that is missing from framework.
feat(pipes): add ReplacePipe for string manipulation
add commonly used pipe that is missing from framework.
feat(pipes): add ReplacePipe for string manipulation
add commonly used pipe that is missing from framework.
feat(pipes): add ReplacePipe for string manipulation
add commonly used pipe that is missing from framework.
feat(pipes): add ReplacePipe for string manipulation
add commonly used pipe that is missing from framework.
feat(pipes): add ReplacePipe for string manipulation
add commonly used pipe that is missing from framework.
feat(pipes): add ReplacePipe for string manipulation
add commonly used pipe that is missing from framework.
feat(pipes): add ReplacePipe for string manipulation
add commonly used pipe that is missing from framework.
feat(pipes): add ReplacePipe for string manipulation
add commonly used pipe that is missing from framework.
feat(pipes): add ReplacePipe for string manipulation
add commonly used pipe that is missing from framework.
feat(pipes): add ReplacePipe for string manipulation
add commonly used pipe that is missing from framework.
Adding static pattern validation method to Validators
Adding a directive for the pattern validator
Applying clang-format rules to modified files
Updating public api spec for new pattern validator
Adding pattern validator to public api guard tool
For #5411Closes#5561
Despite local testing, multiple users failed to run the postinstall to install typings.
Instead, we can distribute the typings we installed locally.
This is an alternative to #7003.
This also reverts rxjs to beta.1 since we have errors using beta.2, being addressed
in #7001.
Fixes#7000
This resolves Duplicate Identifier issues seen by many users,
at the expense of more typings installation required in some
cases.
Removes the quickstart hack of placing all needed dependencies
typings files in our distribution. Removes dependencies on
nodejs from angular2/core.
Fixes#5973Fixes#5807Fixes#6266
Angular now depends on es6-promise and es6-collections
(and a handful of manual typings) rather than all of es6-shim.
Fixes#5242
We previously had an undocumented breaking change, this is now
documented in this commit.
Fixes#6817
BREAKING CHANGE:
Transitive typings are no longer included in the distribution.
You may need to install typings in your project using
http://github.com/typings/typings
Users now must rely on getting typings from:
- one of the peerDependencies, such as rxjs, which exposes
typings via the moduleResolution=node mechanism.
(see https://github.com/Microsoft/TypeScript/wiki/Typings-for-npm-packages)
This happens automatically.
- Using --target ES5 now requires manual installation of
es6-promise and es6-collections typings.
- Using some angular APIs may introduce a dependency on eg. nodejs
or jasmine, and those typings need manual installation as well.
Closes#6267
The upstream Jasmine typings don't define a type for the global
object with Jasmine methods polluting it, so just use any.
Also zone.js has a different name upstream.
Now, using `ng.probe(element)` in the browser console returns
a DebugElement when in dev mode.
`ComponentFixture#debugElement` also returns a new DebugElement.
Breaking Change:
This is a breaking change for unit tests. The API for the DebugElement
has changed. Now, there is a DebugElement or DebugNode for every node
in the DOM, not only nodes with an ElementRef. `componentViewChildren` is
removed, and `childNodes` is a list of ElementNodes corresponding to every
child in the DOM. `query` no longer takes a scope parameter, since
the entire rendered DOM is included in the `childNodes`.
Before:
```
componentFixture.debugElement.componentViewChildren[0];
```
After
```
// Depending on the DOM structure of your component, the
// index may have changed or the first component child
// may be a sub-child.
componentFixture.debugElement.children[0];
```
Before:
```
debugElement.query(By.css('div'), Scope.all());
```
After:
```
debugElement.query(By.css('div'));
```
Before:
```
componentFixture.debugElement.elementRef;
```
After:
```
componentFixture.elementRef;
```
The newest version of the analyzer emits hints when it encounters TODOs
in code, which is breaking the Dart dev version of our build.
Ignore TODOs for the purpose of build health.
See #6410
Widen version dependencies for `package:angular`, `package:code_transformers`,
and `package:observe`.
`package:guinness` uses `package:unittest` while
the newest versions of `package:code_transformers` use `package:test`.
This causes our end-to-end Dart transformer tests (which use testing
code in `package:code_transformers`) to be skipped.
To fix this:
- Move e2e tests to run in a separate file
- Run `gulp test.server.dart` tests serially
Closes#5922Closes#5935
With providers split into bundles, the test injector is now able to
use providers for a given bundle. Suggested provider lists for tests are
available in `angular2/platform/testing/<platform>`.
Change the providers for a test suite using `setBaseTestProviders`. This
should be done once at the start of the test suite, before any test cases
run.
BREAKING CHANGE: Tests are now required to use `setBaseTestProviders`
to set up. Assuming your tests are run on a browser, setup would change
as follows.
Before:
```js
// Somewhere in test setup
import {BrowserDomAdapter} from 'angular2/src/platform/browser/browser_adapter';
BrowserDomAdapter.makeCurrent
```
After:
```js
// Somewhere in the test setup
import {setBaseTestProviders} from 'angular2/testing';
import {
TEST_BROWSER_PLATFORM_PROVIDERS,
TEST_BROWSER_APPLICATION_PROVIDERS
} from 'angular2/platform/testing/browser';
setBaseTestProviders(TEST_BROWSER_PLATFORM_PROVIDERS,
TEST_BROWSER_APPLICATION_PROVIDERS);
```
Closes#5351, Closes#5585Closes#5975
BREAKING CHANGE
Before
Previously Angular would run in dev prod mode by default, and you could enable the dev mode by calling enableDevMode.
After
Now, Angular runs in the dev mode by default, and you can enable the prod mode by calling enableProdMode.
I'm not sure what's the best way to update the shallow repo and I'm in a state where there is nothing to be
updated so I'll revisit the proper fix the next time I'm doing a release unless someone beats me to it.
Closes#5872
BREAKING CHANGE:
Previously `angular2.js`, `angular2.min.js` and `angular2.dev.js` bundles
would have zone.js and reflect-metadata pre-appended. New bundles don't
contain zone.js nor reflect-metadata - those external dependencies can
be easily loaded into a browser using `angular2-polyfills.js`
Closes#5881
Closes#5815Closes#5844
BREAKING CHANGE:
`angular2/angular2` was removed. Use the correct import from one of the barrels. E.g. `angular2/core`, `angular2/platform/browser`, `angular2/common`, …
Note: This only applies to JavaScript, Dart is not changed.
Assets defined for `templateUrl` and `styleUrls` can now be loaded
in relative to where the component file is placed so long as the
`moduleId` is set within the component annotation.
Closes#5634
Assets defined for `templateUrl` and `styleUrls` can now be loaded
in relative to where the component file is placed so long as the
`moduleId` is set within the component annotation.
Closes#5634Closes#5634
Fixes#5593
Part of #5665
BREAKING CHANGE:
Number and content of UMD bundles have changed:
- we only publish one bundle that contains: core, common, platform/browser, http, router, instrumentation and upgrade
- exported names have changed and now:
- core is exported as `ng.core`
- common is exported as `ng.common`
- platform/browser is exported as `ng.platform.browser`
- http is exported as `ng.http`
- router is exported as `ng.router`
- instrumentation is exported as `ng.instrumentation`
- upgrade is exported as `ng.upgrade`
Closes#5697
Have DomElementSchemaRegistry support namespaced elements,
so that it does not fail when directives are applied in SVG (or xlink).
Without this fix, directives or property bindings cannot be
used in SVG.
Related to #5547Closes#5653
Currently, importing from 'angular2/angular2', in addition to providing Angular tokens, brings in global-es6.d.ts. Since we are deprecating 'angular2/angular2', we need to do the same in 'angular2/core'.