Skip to content
This repository has been archived by the owner on Sep 5, 2024. It is now read-only.

fix(all): fix Trusted Types violations during initialization #12128

Merged
merged 1 commit into from
Oct 28, 2021
Merged

fix(all): fix Trusted Types violations during initialization #12128

merged 1 commit into from
Oct 28, 2021

Conversation

bjarkler
Copy link
Contributor

AngularJS Material is in LTS mode

We are no longer accepting changes that are not critical bug fixes into this project.
See Long Term Support for more detail.

PR Checklist

Please check your PR fulfills the following requirements:

  • Does this PR fix a regression since 1.2.0, a security flaw, or a problem caused by a new browser version?
  • The commit message follows our guidelines
  • Tests for the changes have been added or this is not a bug fix / enhancement
  • Docs have been added, updated, or were not required

PR Type

What kind of change does this PR introduce?

[ ] Bugfix
[ ] Enhancement
[ ] Documentation content changes
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Build related changes
[ ] CI related changes
[ ] Infrastructure changes
[X] Other... Please describe: Security improvement

What is the current behavior?

Currently, when Angular Material is loaded in an application that has
Trusted Types enforced, two violations occur. Both violations are caused
when a plain string is passed to angular.element since there is no
guarantee that the string was not derived from user input, which could
cause XSS. It should be noted that, in this case, neither call to
angular.element represents a security vulnerability, but this blocks
Trusted Types adoption in applications that load Angular Material.

What is the new behavior?

To fix the violations, refactor the calls to angular.element to use safe
DOM operations instead.

Does this PR introduce a breaking change?

[ ] Yes
[X] No

Other information

@jelbourn

@bjarkler
fix(all): fix Trusted Types violations during initialization
748b678 
Currently, when Angular Material is loaded in an application that has
Trusted Types enforced, two violations occur. Both violations are caused
when a plain string is passed to angular.element since there is no
guarantee that the string was not derived from user input, which could
cause XSS. It should be noted that, in this case, neither call to
angular.element represents a security vulnerability, but this blocks
Trusted Types adoption in applications that load Angular Material.

To fix the violations, refactor the calls to angular.element to use safe
DOM operations instead.

This change does not alter any functionality and is fully backwards
compatible.
@google-cla google-cla bot added the cla: yes PR author has signed Google's CLA: https://opensource.google.com/docs/cla/ label Oct 28, 2021
@Splaktar Splaktar self-requested a review October 28, 2021 18:14
@Splaktar Splaktar self-assigned this Oct 28, 2021
@Splaktar Splaktar added g3: pr This PR was posted by an internal or external product team. P2: required Issues that must be fixed. type: enhancement labels Oct 28, 2021
@jelbourn jelbourn assigned jelbourn and unassigned Splaktar Oct 28, 2021
@jelbourn jelbourn requested review from jelbourn and removed request for Splaktar October 28, 2021 19:03
jelbourn
jelbourn approved these changes Oct 28, 2021
View reviewed changes
Copy link
Member

@jelbourn jelbourn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jelbourn jelbourn merged commit 4e354a6 into angular:master Oct 28, 2021
@Splaktar Splaktar added this to the 1.2.4 milestone Oct 28, 2021
Splaktar
Splaktar approved these changes Oct 28, 2021
View reviewed changes
Copy link
Member

@Splaktar Splaktar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

jelbourn pushed a commit that referenced this pull request Oct 28, 2021
@bjarkler @jelbourn
fix(all): fix Trusted Types violations during initialization (#12128)
187226e 
Currently, when Angular Material is loaded in an application that has
Trusted Types enforced, two violations occur. Both violations are caused
when a plain string is passed to angular.element since there is no
guarantee that the string was not derived from user input, which could
cause XSS. It should be noted that, in this case, neither call to
angular.element represents a security vulnerability, but this blocks
Trusted Types adoption in applications that load Angular Material.

To fix the violations, refactor the calls to angular.element to use safe
DOM operations instead.

This change does not alter any functionality and is fully backwards
compatible.

(cherry picked from commit 4e354a6)
superheri pushed a commit to superheri/material that referenced this pull request Nov 30, 2021
@bjarkler @superheri
fix(all): fix Trusted Types violations during initialization (angular…
db45aa1 
…#12128)

Currently, when Angular Material is loaded in an application that has
Trusted Types enforced, two violations occur. Both violations are caused
when a plain string is passed to angular.element since there is no
guarantee that the string was not derived from user input, which could
cause XSS. It should be noted that, in this case, neither call to
angular.element represents a security vulnerability, but this blocks
Trusted Types adoption in applications that load Angular Material.

To fix the violations, refactor the calls to angular.element to use safe
DOM operations instead.

This change does not alter any functionality and is fully backwards
compatible.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Splaktar Splaktar Splaktar approved these changes

@jelbourn jelbourn jelbourn approved these changes

Assignees

@jelbourn jelbourn

Labels
cla: yes PR author has signed Google's CLA: https://opensource.google.com/docs/cla/ g3: pr This PR was posted by an internal or external product team. P2: required Issues that must be fixed. type: enhancement
Projects
None yet
Milestone
1.2.4
Development

Successfully merging this pull request may close these issues.
3 participants
@bjarkler @jelbourn @Splaktar