diff --git a/src/.jshintrc b/src/.jshintrc
index 8860f44d5ba4..747b623cc69f 100644
--- a/src/.jshintrc
+++ b/src/.jshintrc
@@ -1,5 +1,6 @@
 {
-  "extends": "../.jshintrc-base",
+  "root": true,
+  "extends": "../.eslintrc-browser.json",
   "browser": true,
   "globals": {
     /* auto/injector.js */
@@ -14,6 +15,9 @@
     "splice": false,
     "push": false,
     "toString": false,
+    "minErrConfig": false,
+    "errorHandlingConfig": false,
+    "isValidObjectMaxDepth": false,
     "ngMinErr": false,
     "_angular": false,
     "angularModule": false,
@@ -36,6 +40,7 @@
     "extend": false,
     "int": false,
     "inherit": false,
+    "merge": false,
     "noop": false,
     "identity": false,
     "valueFn": false,
@@ -44,7 +49,9 @@
     "isObject": false,
     "isString": false,
     "isNumber": false,
+    "isNumberNaN": false,
     "isDate": false,
+    "isError": false,
     "isArray": false,
     "isFunction": false,
     "isRegExp": false,
@@ -55,6 +62,7 @@
     "isBlob": false,
     "isBoolean": false,
     "isPromiseLike": false,
+    "hasCustomToString": false,
     "trim": false,
     "escapeForRegexp": false,
     "isElement": false,
@@ -63,6 +71,7 @@
     "arrayRemove": false,
     "copy": false,
     "shallowCopy": false,
+    "simpleCompare": false,
     "equals": false,
     "csp": false,
     "concat": false,
@@ -71,6 +80,9 @@
     "toJsonReplacer": false,
     "toJson": false,
     "fromJson": false,
+    "addDateMinutes": false,
+    "convertTimezoneToLocal": false,
+    "timezoneToOffset": false,
     "startingTag": false,
     "tryDecodeURIComponent": false,
     "parseKeyValue": false,
@@ -90,8 +102,9 @@
     "createMap": false,
     "VALIDITY_STATE_PROPERTY": false,
     "reloadWithDebugInfo": false,
-
+    "stringify": false,
     "skipDestroyOnNextJQueryCleanData": true,
+    "UNSAFE_restoreLegacyJqLiteXHTMLReplacement": false,
 
     "NODE_TYPE_ELEMENT": false,
     "NODE_TYPE_ATTRIBUTE": false,
@@ -121,6 +134,7 @@
     "ALIASED_ATTR": false,
     "jqNextId": false,
     "camelCase": false,
+    "fnCamelCaseReplace": false,
     "jqLitePatchJQueryRemove": false,
     "JQLite": false,
     "jqLiteClone": false,
@@ -137,6 +151,7 @@
     "jqLiteInheritedData": false,
     "jqLiteBuildFragment": false,
     "jqLiteParseHTML": false,
+    "jqLiteWrapNode": false,
     "getBooleanAttrName": false,
     "getAliasedAttrName": false,
     "createEventHandler": false,
@@ -149,10 +164,16 @@
     /* apis.js */
     "hashKey": false,
     "HashMap": false,
+    "NgMap": false,
 
     /* urlUtils.js */
     "urlResolve": false,
     "urlIsSameOrigin": false,
+    "urlIsSameOriginAsBaseUrl": false,
+    "urlIsAllowedOriginFactory": false,
+
+    /* ng/controller.js */
+    "identifierForController": false,
 
     /* ng/compile.js */
     "directiveNormalize": false,
@@ -160,9 +181,18 @@
     /* ng/parse.js */
     "setter": false,
 
+    /* ng/q.js */
+    "markQExceptionHandled": false,
+
+    /* sce.js */
+    "SCE_CONTEXTS": false,
+
     /* ng/directive/directives.js */
     "ngDirective": false,
 
+    /* ng/directive/ngEventDirs.js */
+    "createEventDirective": false,
+
     /* ng/directive/input.js */
     "VALID_CLASS": false,
     "INVALID_CLASS": false,
diff --git a/src/Angular.js b/src/Angular.js
index e0cc5c934561..8679af3fc2c4 100644
--- a/src/Angular.js
+++ b/src/Angular.js
@@ -30,6 +30,7 @@
   extend: true,
   int: true,
   inherit: true,
+  merge: true,
   noop: true,
   identity: true,
   valueFn: true,
@@ -84,6 +85,7 @@
   getBlockNodes: true,
   hasOwnProperty: true,
   createMap: true,
+  UNSAFE_restoreLegacyJqLiteXHTMLReplacement,
 
   NODE_TYPE_ELEMENT: true,
   NODE_TYPE_ATTRIBUTE: true,
@@ -327,6 +329,41 @@ function setHashKey(obj, h) {
   }
 }
 
+
+function baseExtend(dst, objs, deep) {
+  var h = dst.$$hashKey;
+  for (var i = 0, ii = objs.length; i < ii; ++i) {
+    var obj = objs[i];
+    if (!isObject(obj) && !isFunction(obj)) continue;
+    var keys = Object.keys(obj);
+    for (var j = 0, jj = keys.length; j < jj; j++) {
+      var key = keys[j];
+      var src = obj[key];
+      if (deep && isObject(src)) {
+        if (isDate(src)) {
+          dst[key] = new Date(src.valueOf());
+        } else if (isRegExp(src)) {
+          dst[key] = new RegExp(src);
+        } else if (src.nodeName) {
+          dst[key] = src.cloneNode(true);
+        } else if (isElement(src)) {
+          dst[key] = src.clone();
+        } else {
+          if (key !== '__proto__') {
+            if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
+            baseExtend(dst[key], [src], true);
+          }
+        }
+      } else {
+        dst[key] = src;
+      }
+    }
+  }
+
+  setHashKey(dst, h);
+  return dst;
+}
+
 /**
  * @ngdoc function
  * @name angular.extend
@@ -344,21 +381,29 @@ function setHashKey(obj, h) {
  * @returns {Object} Reference to `dst`.
  */
 function extend(dst) {
-  var h = dst.$$hashKey;
-
-  for (var i = 1, ii = arguments.length; i < ii; i++) {
-    var obj = arguments[i];
-    if (obj) {
-      var keys = Object.keys(obj);
-      for (var j = 0, jj = keys.length; j < jj; j++) {
-        var key = keys[j];
-        dst[key] = obj[key];
-      }
-    }
-  }
+  return baseExtend(dst, slice.call(arguments, 1), false);
+}
 
-  setHashKey(dst, h);
-  return dst;
+/**
+ * @ngdoc function
+ * @name angular.merge
+ * @module ng
+ * @kind function
+ *
+ * @description
+ * Deeply extends the destination object `dst` by copying own enumerable properties from the `src` object(s)
+ * to `dst`. You can specify multiple `src` objects. If you want to preserve original objects, you can do so
+ * by passing an empty object as the target: `var object = angular.merge({}, object1, object2)`.
+ *
+ * Unlike {@link angular.extend extend()}, `merge()` recursively descends into object properties of source
+ * objects, performing a deep copy.
+ *
+ * @param {Object} dst Destination object.
+ * @param {...Object} src Source object(s).
+ * @returns {Object} Reference to `dst`.
+ */
+function merge(dst) {
+  return baseExtend(dst, slice.call(arguments, 1), true);
 }
 
 function int(str) {
@@ -1570,6 +1615,25 @@ function bindJQuery() {
   bindJQueryFired = true;
 }
 
+/**
+ * @ngdoc function
+ * @name angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement
+ * @module ng
+ * @kind function
+ *
+ * @description
+ * Restores the pre-1.8 behavior of jqLite that turns XHTML-like strings like
+ * `<div /><span />` to `<div></div><span></span>` instead of `<div><span></span></div>`.
+ * The new behavior is a security fix so if you use this method, please try to adjust
+ * to the change & remove the call as soon as possible.
+ * Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read
+ * [jQuery 3.5 upgrade guide](https://jquery.com/upgrade-guide/3.5/) for more details
+ * about the workarounds.
+ */
+function UNSAFE_restoreLegacyJqLiteXHTMLReplacement() {
+  JQLite.legacyXHTMLReplacement = true;
+}
+
 /**
  * throw error if the argument is falsy.
  */
diff --git a/src/AngularPublic.js b/src/AngularPublic.js
index b81257b9fff7..0c7df395dc0b 100644
--- a/src/AngularPublic.js
+++ b/src/AngularPublic.js
@@ -116,6 +116,7 @@ function publishExternalAPI(angular) {
     'bootstrap': bootstrap,
     'copy': copy,
     'extend': extend,
+    'merge': merge,
     'equals': equals,
     'element': jqLite,
     'forEach': forEach,
@@ -141,7 +142,8 @@ function publishExternalAPI(angular) {
     'getTestability': getTestability,
     '$$minErr': minErr,
     '$$csp': csp,
-    'reloadWithDebugInfo': reloadWithDebugInfo
+    'reloadWithDebugInfo': reloadWithDebugInfo,
+    'UNSAFE_restoreLegacyJqLiteXHTMLReplacement': UNSAFE_restoreLegacyJqLiteXHTMLReplacement
   });
 
   angularModule = setupModuleLoader(window);
diff --git a/src/jqLite.js b/src/jqLite.js
index dfdad1c0ee17..bb24caec0905 100644
--- a/src/jqLite.js
+++ b/src/jqLite.js
@@ -158,7 +158,6 @@ var XHTML_TAG_REGEXP = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w
 
 var wrapMap = {
   'option': [1, '<select multiple="multiple">', '</select>'],
-
   'thead': [1, '<table>', '</table>'],
   'col': [2, '<table><colgroup>', '</colgroup></table>'],
   'tr': [2, '<table><tbody>', '</tbody></table>'],
@@ -170,6 +169,21 @@ wrapMap.optgroup = wrapMap.option;
 wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
 wrapMap.th = wrapMap.td;
 
+// Support: IE <10 only
+// IE 9 requires an option wrapper & it needs to have the whole table structure
+// set up up front; assigning `"<td></td>"` to `tr.innerHTML` doesn't work, etc.
+var wrapMapIE9 = {
+  option: [1, '<select multiple="multiple">', '</select>'],
+  _default: [0, '', '']
+};
+
+for (var key in wrapMap) {
+  var wrapMapValueClosing = wrapMap[key];
+  var wrapMapValue = wrapMapValueClosing.slice().reverse();
+  wrapMapIE9[key] = [wrapMapValue.length, '<' + wrapMapValue.join('><') + '>', '</' + wrapMapValueClosing.join('></') + '>'];
+}
+
+wrapMapIE9.optgroup = wrapMapIE9.option;
 
 function jqLiteIsTextNode(html) {
   return !HTML_REGEXP.test(html);
@@ -183,7 +197,7 @@ function jqLiteAcceptsData(node) {
 }
 
 function jqLiteBuildFragment(html, context) {
-  var tmp, tag, wrap,
+  var tmp, tag, wrap, finalHtml,
       fragment = context.createDocumentFragment(),
       nodes = [], i;
 
@@ -194,13 +208,30 @@ function jqLiteBuildFragment(html, context) {
     // Convert html into DOM nodes
     tmp = tmp || fragment.appendChild(context.createElement("div"));
     tag = (TAG_NAME_REGEXP.exec(html) || ["", ""])[1].toLowerCase();
-    wrap = wrapMap[tag] || wrapMap._default;
-    tmp.innerHTML = wrap[1] + html.replace(XHTML_TAG_REGEXP, "<$1></$2>") + wrap[2];
+    finalHtml = JQLite.legacyXHTMLReplacement ?
+      html.replace(XHTML_TAG_REGEXP, '<$1></$2>') :
+      html;
+
+    if (msie < 10) {
+      wrap = wrapMapIE9[tag] || wrapMapIE9._default;
+      tmp.innerHTML = wrap[1] + finalHtml + wrap[2];
+
+      // Descend through wrappers to the right content
+      i = wrap[0];
+      while (i--) {
+        tmp = tmp.firstChild;
+      }
+    } else {
+      wrap = wrapMap[tag] || wrapMap._default;
 
-    // Descend through wrappers to the right content
-    i = wrap[0];
-    while (i--) {
-      tmp = tmp.lastChild;
+
+      tmp.innerHTML = wrap[1] + finalHtml + wrap[2];
+
+      // Descend through wrappers to the right content
+      i = wrap[0];
+      while (i--) {
+        tmp = tmp.lastChild;
+      }
     }
 
     nodes = concat(nodes, tmp.childNodes);
diff --git a/src/ng/compile.js b/src/ng/compile.js
index 051028e338e8..5c1d04a140c6 100644
--- a/src/ng/compile.js
+++ b/src/ng/compile.js
@@ -1044,7 +1044,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
 
         nodeName = nodeName_(this.$$element);
 
-        if ((nodeName === 'a' && key === 'href') ||
+        if ((nodeName === 'a' && (key === 'href' || key === 'xlinkHref')) ||
             (nodeName === 'img' && key === 'src')) {
           // sanitize a[href] and img[src] values
           this[key] = value = $$sanitizeUri(value, key === 'src');
diff --git a/test/AngularSpec.js b/test/AngularSpec.js
index 0f353f01fe45..1c79c984565b 100644
--- a/test/AngularSpec.js
+++ b/test/AngularSpec.js
@@ -1580,3 +1580,82 @@ describe('angular', function() {
     });
   });
 });
+describe('merge', function () {
+  it('should recursively copy objects into dst from left to right', function () {
+    var dst = {foo: {bar: 'foobar'}};
+    var src1 = {foo: {bazz: 'foobazz'}};
+    var src2 = {foo: {bozz: 'foobozz'}};
+    merge(dst, src1, src2);
+    expect(dst).toEqual({
+      foo: {
+        bar: 'foobar',
+        bazz: 'foobazz',
+        bozz: 'foobozz'
+      }
+    });
+  });
+
+
+  it('should replace primitives with objects', function () {
+    var dst = {foo: "bloop"};
+    var src = {foo: {bar: {baz: "bloop"}}};
+    merge(dst, src);
+    expect(dst).toEqual({
+      foo: {
+        bar: {
+          baz: "bloop"
+        }
+      }
+    });
+  });
+
+
+  it('should replace null values in destination with objects', function () {
+    var dst = {foo: null};
+    var src = {foo: {bar: {baz: "bloop"}}};
+    merge(dst, src);
+    expect(dst).toEqual({
+      foo: {
+        bar: {
+          baz: "bloop"
+        }
+      }
+    });
+  });
+
+  it('should copy references to functions by value rather than merging', function () {
+    function fn() {
+    }
+
+    var dst = {foo: 1};
+    var src = {foo: fn};
+    merge(dst, src);
+    expect(dst).toEqual({
+      foo: fn
+    });
+  });
+
+
+  it('should create a new array if destination property is a non-object and source property is an array', function () {
+    var dst = {foo: NaN};
+    var src = {foo: [1, 2, 3]};
+    merge(dst, src);
+    expect(dst).toEqual({
+      foo: [1, 2, 3]
+    });
+    expect(dst.foo).not.toBe(src.foo);
+  });
+
+  it('should not merge the __proto__ property', function() {
+    var src = JSON.parse('{ "__proto__": { "xxx": "polluted" } }');
+    var dst = {};
+
+    merge(dst, src);
+
+    if (typeof dst.__proto__ !== 'undefined') { // eslint-disable-line
+      // Should not overwrite the __proto__ property or pollute the Object prototype
+      expect(dst.__proto__).toBe(Object.prototype); // eslint-disable-line
+    }
+    expect(({}).xxx).toBeUndefined();
+  });
+});
diff --git a/test/jqLiteSpec.js b/test/jqLiteSpec.js
index a791641bcda0..e31e37648294 100644
--- a/test/jqLiteSpec.js
+++ b/test/jqLiteSpec.js
@@ -26,8 +26,8 @@ describe('jqLite', function() {
           var expect = jqLite(expected[i])[0];
           value = value && equals(expect, actual);
           msg = "Not equal at index: " + i
-              + " - Expected: " + expect
-              + " - Actual: " + actual;
+            + " - Expected: " + expect
+            + " - Actual: " + actual;
         }
         return value;
       }
@@ -129,6 +129,67 @@ describe('jqLite', function() {
     });
   });
 
+  describe('security', function() {
+
+    it('shouldn\'t unsanitize sanitized code', function(done) {
+      var counter = 0,
+        assertCount = 13,
+        container = jqLite('<div></div>');
+
+      function donePartial() {
+        counter++;
+        if (counter === assertCount) {
+          container.remove();
+          delete window.xss;
+        }
+      }
+
+      jqLite(document.body).append(container);
+      window.xss = jasmine.createSpy('xss');
+
+      // Thanks to Masato Kinugawa from Cure53 for providing the following test cases.
+      // Note: below test cases need to invoke the xss function with consecutive
+      // decimal parameters for the assertions to be correct.
+      forEach([
+        '<img alt="<x" title="/><img src=url404 onerror=xss(0)>">',
+        '<img alt="\n<x" title="/>\n<img src=url404 onerror=xss(1)>">',
+        '<style><img src=url404 onerror=xss(2)><style/>',
+        '<xmp><img src=url404 onerror=xss(3)><xmp/>',
+        '<title><img src=url404 onerror=xss(4)><title />',
+        '<iframe><img src=url404 onerror=xss(5)><iframe/>',
+        '<noframes><img src=url404 onerror=xss(6)><noframes/>',
+        '<noscript><img src=url404 onerror=xss(7)><noscript/>',
+        '<foo" alt="" title="/><img src=url404 onerror=xss(8)>">',
+        '<img alt="<x" title="" src="/><img src=url404 onerror=xss(9)>">',
+        '<noscript><img src=url404 onerror=xss(10)><noscript/>',
+        '<noembed><img src=url404 onerror=xss(11)><noembed/>',
+      ], function(htmlString, index) {
+        var element = jqLite('<div></div>');
+
+        container.append(element);
+        element.append(jqLite(htmlString));
+
+        window.setTimeout(function() {
+          expect(window.xss).not.toHaveBeenCalledWith(index);
+          donePartial();
+        }, 1000);
+      });
+    });
+
+    it('should allow to restore legacy insecure behavior', function() {
+      // jQuery doesn't have this API.
+      if (!_jqLiteMode) return;
+
+      // eslint-disable-next-line new-cap
+      angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement();
+
+      var elem = jqLite('<div/><span/>');
+      expect(elem.length).toBe(2);
+      expect(elem[0].nodeName.toLowerCase()).toBe('div');
+      expect(elem[1].nodeName.toLowerCase()).toBe('span');
+    });
+  })
+
   describe('_data', function() {
     it('should provide access to the events present on the element', function() {
       var element = jqLite('<i>foo</i>');
@@ -169,8 +230,8 @@ describe('jqLite', function() {
     it('should work with the child html element instead if the current element is the document obj',
       function() {
         var item = {},
-            doc = jqLite(document),
-            html = doc.find('html');
+          doc = jqLite(document),
+          html = doc.find('html');
 
         html.data('item', item);
         expect(doc.inheritedData('item')).toBe(item);
@@ -181,8 +242,8 @@ describe('jqLite', function() {
 
     it('should return null values', function() {
       var ul = jqLite('<ul><li><p><b>deep deep</b><p></li></ul>'),
-          li = ul.find('li'),
-          b = li.find('b');
+        li = ul.find('li'),
+        b = li.find('b');
 
       ul.data('foo', 'bar');
       li.data('foo', null);
@@ -195,8 +256,8 @@ describe('jqLite', function() {
 
     it('should pass through DocumentFragment boundaries via host', function() {
       var host = jqLite('<div></div>'),
-          frag = document.createDocumentFragment(),
-          $frag = jqLite(frag);
+        frag = document.createDocumentFragment(),
+        $frag = jqLite(frag);
       frag.host = host[0];
       host.data("foo", 123);
       host.append($frag);
@@ -224,17 +285,17 @@ describe('jqLite', function() {
     });
 
     it('should retrieve scope attached to the html element if it\'s requested on the document',
-        function() {
-      var doc = jqLite(document),
+      function() {
+        var doc = jqLite(document),
           html = doc.find('html'),
           scope = {};
 
-      html.data('$scope', scope);
+        html.data('$scope', scope);
 
-      expect(doc.scope()).toBe(scope);
-      expect(html.scope()).toBe(scope);
-      dealoc(doc);
-    });
+        expect(doc.scope()).toBe(scope);
+        expect(html.scope()).toBe(scope);
+        dealoc(doc);
+      });
 
     it('should walk up the dom to find scope', function() {
       var element = jqLite('<ul><li><p><b>deep deep</b><p></li></ul>');
@@ -294,17 +355,17 @@ describe('jqLite', function() {
 
 
     it('should retrieve injector attached to the html element if it\'s requested on document',
-        function() {
-      var doc = jqLite(document),
+      function() {
+        var doc = jqLite(document),
           html = doc.find('html'),
           injector = {};
 
-      html.data('$injector', injector);
+        html.data('$injector', injector);
 
-      expect(doc.injector()).toBe(injector);
-      expect(html.injector()).toBe(injector);
-      dealoc(doc);
-    });
+        expect(doc.injector()).toBe(injector);
+        expect(html.injector()).toBe(injector);
+        dealoc(doc);
+      });
 
 
     it('should do nothing with a noncompiled template', function() {
@@ -318,7 +379,7 @@ describe('jqLite', function() {
   describe('controller', function() {
     it('should retrieve controller attached to the current element or its parent', function() {
       var div = jqLite('<div><span></span></div>'),
-          span = div.find('span');
+        span = div.find('span');
 
       div.data('$ngControllerController', 'ngController');
       span.data('$otherController', 'other');
@@ -456,8 +517,8 @@ describe('jqLite', function() {
 
     it('should keep data if an element is removed via detach()', function() {
       var root = jqLite('<div><span>abc</span></div>'),
-          span = root.find('span'),
-          data = span.data();
+        span = root.find('span'),
+        data = span.data();
 
       span.data('foo', 'bar');
       span.detach();
@@ -481,7 +542,7 @@ describe('jqLite', function() {
 
     it('should create a new data object if called without args', function() {
       var element = jqLite(a),
-          data = element.data();
+        data = element.data();
 
       expect(data).toEqual({});
       element.data('foo', 'bar');
@@ -490,7 +551,7 @@ describe('jqLite', function() {
 
     it('should create a new data object if called with a single object arg', function() {
       var element = jqLite(a),
-          newData = {foo: 'bar'};
+        newData = {foo: 'bar'};
 
       element.data(newData);
       expect(element.data()).toEqual({foo: 'bar'});
@@ -498,23 +559,23 @@ describe('jqLite', function() {
     });
 
     it('should merge existing data object with a new one if called with a single object arg',
-        function() {
-      var element = jqLite(a);
-      element.data('existing', 'val');
-      expect(element.data()).toEqual({existing: 'val'});
+      function() {
+        var element = jqLite(a);
+        element.data('existing', 'val');
+        expect(element.data()).toEqual({existing: 'val'});
 
-      var oldData = element.data(),
+        var oldData = element.data(),
           newData = {meLike: 'turtles', 'youLike': 'carrots'};
 
-      expect(element.data(newData)).toBe(element);
-      expect(element.data()).toEqual({meLike: 'turtles', youLike: 'carrots', existing: 'val'});
-      expect(element.data()).toBe(oldData); // merge into the old object
-    });
+        expect(element.data(newData)).toBe(element);
+        expect(element.data()).toEqual({meLike: 'turtles', youLike: 'carrots', existing: 'val'});
+        expect(element.data()).toBe(oldData); // merge into the old object
+      });
 
     describe('data cleanup', function() {
       it('should remove data on element removal', function() {
         var div = jqLite('<div><span>text</span></div>'),
-            span = div.find('span');
+          span = div.find('span');
 
         span.data('name', 'angular');
         span.remove();
@@ -523,8 +584,8 @@ describe('jqLite', function() {
 
       it('should remove event listeners on element removal', function() {
         var div = jqLite('<div><span>text</span></div>'),
-            span = div.find('span'),
-            log = '';
+          span = div.find('span'),
+          log = '';
 
         span.on('click', function() { log += 'click;'; });
         browserTrigger(span);
@@ -966,20 +1027,20 @@ describe('jqLite', function() {
     it('should get an array of selected elements from a multi select', function() {
       expect(jqLite(
         '<select multiple>' +
-          '<option selected>test 1</option>' +
-          '<option selected>test 2</option>' +
+        '<option selected>test 1</option>' +
+        '<option selected>test 2</option>' +
         '</select>').val()).toEqual(['test 1', 'test 2']);
 
       expect(jqLite(
         '<select multiple>' +
-          '<option selected>test 1</option>' +
-          '<option>test 2</option>' +
+        '<option selected>test 1</option>' +
+        '<option>test 2</option>' +
         '</select>').val()).toEqual(['test 1']);
 
       expect(jqLite(
         '<select multiple>' +
-          '<option>test 1</option>' +
-          '<option>test 2</option>' +
+        '<option>test 1</option>' +
+        '<option>test 2</option>' +
         '</select>').val()).toEqual(null);
     });
   });
@@ -1065,7 +1126,7 @@ describe('jqLite', function() {
 
     it('should bind to all events separated by space', function() {
       var elm = jqLite(a),
-          callback = jasmine.createSpy('callback');
+        callback = jasmine.createSpy('callback');
 
       elm.on('click keypress', callback);
       elm.on('click', callback);
@@ -1091,7 +1152,7 @@ describe('jqLite', function() {
 
     it('should have event.isDefaultPrevented method', function() {
       var element = jqLite(a),
-          clickSpy = jasmine.createSpy('clickSpy');
+        clickSpy = jasmine.createSpy('clickSpy');
 
       clickSpy.andCallFake(function(e) {
         expect(function() {
@@ -1109,10 +1170,10 @@ describe('jqLite', function() {
 
     it('should stop triggering handlers when stopImmediatePropagation is called', function() {
       var element = jqLite(a),
-          clickSpy1 = jasmine.createSpy('clickSpy1'),
-          clickSpy2 = jasmine.createSpy('clickSpy2').andCallFake(function(event) { event.stopImmediatePropagation(); }),
-          clickSpy3 = jasmine.createSpy('clickSpy3'),
-          clickSpy4 = jasmine.createSpy('clickSpy4');
+        clickSpy1 = jasmine.createSpy('clickSpy1'),
+        clickSpy2 = jasmine.createSpy('clickSpy2').andCallFake(function(event) { event.stopImmediatePropagation(); }),
+        clickSpy3 = jasmine.createSpy('clickSpy3'),
+        clickSpy4 = jasmine.createSpy('clickSpy4');
 
       element.on('click', clickSpy1);
       element.on('click', clickSpy2);
@@ -1129,12 +1190,12 @@ describe('jqLite', function() {
 
     it('should execute stopPropagation when stopImmediatePropagation is called', function() {
       var element = jqLite(a),
-          clickSpy = jasmine.createSpy('clickSpy');
+        clickSpy = jasmine.createSpy('clickSpy');
 
       clickSpy.andCallFake(function(event) {
-          spyOn(event, 'stopPropagation');
-          event.stopImmediatePropagation();
-          expect(event.stopPropagation).toHaveBeenCalled();
+        spyOn(event, 'stopPropagation');
+        event.stopImmediatePropagation();
+        expect(event.stopPropagation).toHaveBeenCalled();
       });
 
       element.on('click', clickSpy);
@@ -1145,12 +1206,12 @@ describe('jqLite', function() {
 
     it('should have event.isImmediatePropagationStopped method', function() {
       var element = jqLite(a),
-          clickSpy = jasmine.createSpy('clickSpy');
+        clickSpy = jasmine.createSpy('clickSpy');
 
       clickSpy.andCallFake(function(event) {
-          expect(event.isImmediatePropagationStopped()).toBe(false);
-          event.stopImmediatePropagation();
-          expect(event.isImmediatePropagationStopped()).toBe(true);
+        expect(event.isImmediatePropagationStopped()).toBe(false);
+        event.stopImmediatePropagation();
+        expect(event.isImmediatePropagationStopped()).toBe(true);
       });
 
       element.on('click', clickSpy);
@@ -1188,9 +1249,9 @@ describe('jqLite', function() {
             evnt = document.createEvent('MouseEvents');
 
             var originalPreventDefault = evnt.preventDefault,
-            appWindow = window,
-            fakeProcessDefault = true,
-            finalProcessDefault;
+              appWindow = window,
+              fakeProcessDefault = true,
+              finalProcessDefault;
 
             evnt.preventDefault = function() {
               fakeProcessDefault = false;
@@ -1199,7 +1260,7 @@ describe('jqLite', function() {
 
             var x = 0, y = 0;
             evnt.initMouseEvent(type, true, true, window, 0, x, y, x, y, false, false,
-            false, false, 0, relatedTarget);
+              false, false, 0, relatedTarget);
 
             element.dispatchEvent(evnt);
           };
@@ -1226,10 +1287,10 @@ describe('jqLite', function() {
     if (_jqLiteMode) {
       it('should throw an error if eventData or a selector is passed', function() {
         var elm = jqLite(a),
-            anObj = {},
-            aString = '',
-            aValue = 45,
-            callback = function() {};
+          anObj = {},
+          aString = '',
+          aValue = 45,
+          callback = function() {};
 
         expect(function() {
           elm.on('click', anObj, callback);
@@ -1266,8 +1327,8 @@ describe('jqLite', function() {
 
     it('should deregister all listeners', function() {
       var aElem = jqLite(a),
-          clickSpy = jasmine.createSpy('click'),
-          mouseoverSpy = jasmine.createSpy('mouseover');
+        clickSpy = jasmine.createSpy('click'),
+        mouseoverSpy = jasmine.createSpy('mouseover');
 
       aElem.on('click', clickSpy);
       aElem.on('mouseover', mouseoverSpy);
@@ -1291,8 +1352,8 @@ describe('jqLite', function() {
 
     it('should deregister listeners for specific type', function() {
       var aElem = jqLite(a),
-          clickSpy = jasmine.createSpy('click'),
-          mouseoverSpy = jasmine.createSpy('mouseover');
+        clickSpy = jasmine.createSpy('click'),
+        mouseoverSpy = jasmine.createSpy('mouseover');
 
       aElem.on('click', clickSpy);
       aElem.on('mouseover', mouseoverSpy);
@@ -1322,8 +1383,8 @@ describe('jqLite', function() {
 
     it('should deregister all listeners for types separated by spaces', function() {
       var aElem = jqLite(a),
-          clickSpy = jasmine.createSpy('click'),
-          mouseoverSpy = jasmine.createSpy('mouseover');
+        clickSpy = jasmine.createSpy('click'),
+        mouseoverSpy = jasmine.createSpy('mouseover');
 
       aElem.on('click', clickSpy);
       aElem.on('mouseover', mouseoverSpy);
@@ -1347,8 +1408,8 @@ describe('jqLite', function() {
 
     it('should deregister specific listener', function() {
       var aElem = jqLite(a),
-          clickSpy1 = jasmine.createSpy('click1'),
-          clickSpy2 = jasmine.createSpy('click2');
+        clickSpy1 = jasmine.createSpy('click1'),
+        clickSpy2 = jasmine.createSpy('click2');
 
       aElem.on('click', clickSpy1);
       aElem.on('click', clickSpy2);
@@ -1376,10 +1437,10 @@ describe('jqLite', function() {
 
     it('should deregister specific listener within the listener and call subsequent listeners', function() {
       var aElem = jqLite(a),
-          clickSpy = jasmine.createSpy('click'),
-          clickOnceSpy = jasmine.createSpy('clickOnce').andCallFake(function() {
-            aElem.off('click', clickOnceSpy);
-          });
+        clickSpy = jasmine.createSpy('click'),
+        clickOnceSpy = jasmine.createSpy('clickOnce').andCallFake(function() {
+          aElem.off('click', clickOnceSpy);
+        });
 
       aElem.on('click', clickOnceSpy);
       aElem.on('click', clickSpy);
@@ -1396,8 +1457,8 @@ describe('jqLite', function() {
 
     it('should deregister specific listener for multiple types separated by spaces', function() {
       var aElem = jqLite(a),
-          masterSpy = jasmine.createSpy('master'),
-          extraSpy = jasmine.createSpy('extra');
+        masterSpy = jasmine.createSpy('master'),
+        extraSpy = jasmine.createSpy('extra');
 
       aElem.on('click', masterSpy);
       aElem.on('click', extraSpy);
@@ -1423,7 +1484,7 @@ describe('jqLite', function() {
     describe('native listener deregistration', function() {
 
       it('should deregister the native listener when all jqLite listeners for given type are gone ' +
-         'after off("eventName", listener) call',  function() {
+        'after off("eventName", listener) call',  function() {
         var aElem = jqLite(a);
         var addEventListenerSpy = spyOn(aElem[0], 'addEventListener').andCallThrough();
         var removeEventListenerSpy = spyOn(aElem[0], 'removeEventListener').andCallThrough();
@@ -1442,7 +1503,7 @@ describe('jqLite', function() {
 
 
       it('should deregister the native listener when all jqLite listeners for given type are gone ' +
-         'after off("eventName") call',  function() {
+        'after off("eventName") call',  function() {
         var aElem = jqLite(a);
         var addEventListenerSpy = spyOn(aElem[0], 'addEventListener').andCallThrough();
         var removeEventListenerSpy = spyOn(aElem[0], 'removeEventListener').andCallThrough();
@@ -1459,7 +1520,7 @@ describe('jqLite', function() {
 
 
       it('should deregister the native listener when all jqLite listeners for given type are gone ' +
-         'after off("eventName1 eventName2") call',  function() {
+        'after off("eventName1 eventName2") call',  function() {
         var aElem = jqLite(a);
         var addEventListenerSpy = spyOn(aElem[0], 'addEventListener').andCallThrough();
         var removeEventListenerSpy = spyOn(aElem[0], 'removeEventListener').andCallThrough();
@@ -1484,7 +1545,7 @@ describe('jqLite', function() {
 
 
       it('should deregister the native listener when all jqLite listeners for given type are gone ' +
-         'after off() call',  function() {
+        'after off() call',  function() {
         var aElem = jqLite(a);
         var addEventListenerSpy = spyOn(aElem[0], 'addEventListener').andCallThrough();
         var removeEventListenerSpy = spyOn(aElem[0], 'removeEventListener').andCallThrough();
@@ -1727,13 +1788,13 @@ describe('jqLite', function() {
       var root = jqLite('<div>');
       expect(root.prepend([a, b, c])).toBe(root);
       expect(sortedHtml(root)).
-        toBe('<div><div>A</div><div>B</div><div>C</div></div>');
+      toBe('<div><div>A</div><div>B</div><div>C</div></div>');
     });
     it('should prepend array to content in the right order', function() {
       var root = jqLite('<div>text</div>');
       expect(root.prepend([a, b, c])).toBe(root);
       expect(sortedHtml(root)).
-        toBe('<div><div>A</div><div>B</div><div>C</div>text</div>');
+      toBe('<div><div>A</div><div>B</div><div>C</div>text</div>');
     });
   });
 
@@ -1779,7 +1840,7 @@ describe('jqLite', function() {
   describe('parent', function() {
     it('should return parent or an empty set when no parent', function() {
       var parent = jqLite('<div><p>abc</p></div>'),
-          child = parent.find('p');
+        child = parent.find('p');
 
       expect(parent.parent()).toBeTruthy();
       expect(parent.parent().length).toEqual(0);
@@ -1799,7 +1860,7 @@ describe('jqLite', function() {
     it('should return empty jqLite object when parent is a document fragment', function() {
       //this is quite unfortunate but jQuery 1.5.1 behaves this way
       var fragment = document.createDocumentFragment(),
-          child = jqLite('<p>foo</p>');
+        child = jqLite('<p>foo</p>');
 
       fragment.appendChild(child[0]);
       expect(child[0].parentNode).toBe(fragment);
@@ -1855,9 +1916,9 @@ describe('jqLite', function() {
   describe('triggerHandler', function() {
     it('should trigger all registered handlers for an event', function() {
       var element = jqLite('<span>poke</span>'),
-          pokeSpy = jasmine.createSpy('poke'),
-          clickSpy1 = jasmine.createSpy('clickSpy1'),
-          clickSpy2 = jasmine.createSpy('clickSpy2');
+        pokeSpy = jasmine.createSpy('poke'),
+        clickSpy1 = jasmine.createSpy('clickSpy1'),
+        clickSpy2 = jasmine.createSpy('clickSpy2');
 
       element.on('poke', pokeSpy);
       element.on('click', clickSpy1);
@@ -1882,8 +1943,8 @@ describe('jqLite', function() {
       // all anchors with no href automatically
 
       var element = jqLite('<a>poke</a>'),
-          pokeSpy = jasmine.createSpy('poke'),
-          event;
+        pokeSpy = jasmine.createSpy('poke'),
+        event;
 
       element.on('click', pokeSpy);
 
@@ -1896,8 +1957,8 @@ describe('jqLite', function() {
 
     it('should pass extra parameters as an additional argument', function() {
       var element = jqLite('<a>poke</a>'),
-          pokeSpy = jasmine.createSpy('poke'),
-          data;
+        pokeSpy = jasmine.createSpy('poke'),
+        data;
 
       element.on('click', pokeSpy);
 
@@ -1908,8 +1969,8 @@ describe('jqLite', function() {
 
     it('should mark event as prevented if preventDefault is called', function() {
       var element = jqLite('<a>poke</a>'),
-          pokeSpy = jasmine.createSpy('poke'),
-          event;
+        pokeSpy = jasmine.createSpy('poke'),
+        event;
 
       element.on('click', pokeSpy);
       element.triggerHandler('click');
@@ -1922,10 +1983,10 @@ describe('jqLite', function() {
 
     it('should support handlers that deregister themselves', function() {
       var element = jqLite('<a>poke</a>'),
-          clickSpy = jasmine.createSpy('click'),
-          clickOnceSpy = jasmine.createSpy('clickOnce').andCallFake(function() {
-            element.off('click', clickOnceSpy);
-          });
+        clickSpy = jasmine.createSpy('click'),
+        clickOnceSpy = jasmine.createSpy('clickOnce').andCallFake(function() {
+          element.off('click', clickOnceSpy);
+        });
 
       element.on('click', clickOnceSpy);
       element.on('click', clickSpy);
@@ -1941,12 +2002,12 @@ describe('jqLite', function() {
 
     it("should accept a custom event instead of eventName", function() {
       var element = jqLite('<a>poke</a>'),
-          pokeSpy = jasmine.createSpy('poke'),
-          customEvent = {
-            type: 'click',
-            someProp: 'someValue'
-          },
-          actualEvent;
+        pokeSpy = jasmine.createSpy('poke'),
+        customEvent = {
+          type: 'click',
+          someProp: 'someValue'
+        },
+        actualEvent;
 
       element.on('click', pokeSpy);
       element.triggerHandler(customEvent);
@@ -1959,9 +2020,9 @@ describe('jqLite', function() {
 
     it('should stop triggering handlers when stopImmediatePropagation is called', function() {
       var element = jqLite(a),
-          clickSpy1 = jasmine.createSpy('clickSpy1'),
-          clickSpy2 = jasmine.createSpy('clickSpy2').andCallFake(function(event) { event.stopImmediatePropagation(); }),
-          clickSpy3 = jasmine.createSpy('clickSpy3');
+        clickSpy1 = jasmine.createSpy('clickSpy1'),
+        clickSpy2 = jasmine.createSpy('clickSpy2').andCallFake(function(event) { event.stopImmediatePropagation(); }),
+        clickSpy3 = jasmine.createSpy('clickSpy3');
 
       element.on('click', clickSpy1);
       element.on('click', clickSpy2);
@@ -1976,8 +2037,8 @@ describe('jqLite', function() {
 
     it('should have event.isImmediatePropagationStopped method', function() {
       var element = jqLite(a),
-          clickSpy = jasmine.createSpy('clickSpy'),
-          event;
+        clickSpy = jasmine.createSpy('clickSpy'),
+        event;
 
       element.on('click', clickSpy);
       element.triggerHandler('click');
diff --git a/test/ng/compileSpec.js b/test/ng/compileSpec.js
index da8b52725d71..2621466845e5 100755
--- a/test/ng/compileSpec.js
+++ b/test/ng/compileSpec.js
@@ -6322,6 +6322,54 @@ describe('$compile', function() {
       });
     });
 
+    it('should use $$sanitizeUri when declared via ng-href', function() {
+      var $$sanitizeUri = jasmine.createSpy('$$sanitizeUri');
+      module(function($provide) {
+        $provide.value('$$sanitizeUri', $$sanitizeUri);
+      });
+      inject(function($compile, $rootScope) {
+        element = $compile('<a ng-href="{{testUrl}}"></a>')($rootScope);
+        $rootScope.testUrl = "someUrl";
+
+        $$sanitizeUri.andReturn('someSanitizedUrl');
+        $rootScope.$apply();
+        expect(element.attr('href')).toBe('someSanitizedUrl');
+        expect($$sanitizeUri).toHaveBeenCalledWith($rootScope.testUrl, false);
+      });
+    });
+
+    it('should use $$sanitizeUri when working with svg and xlink:href', function() {
+      var $$sanitizeUri = jasmine.createSpy('$$sanitizeUri');
+      module(function($provide) {
+        $provide.value('$$sanitizeUri', $$sanitizeUri);
+      });
+      inject(function($compile, $rootScope) {
+        element = $compile('<svg><a xlink:href="" ng-href="{{ testUrl }}"></a></svg>')($rootScope);
+        $rootScope.testUrl = "evilUrl";
+
+        $$sanitizeUri.andReturn('someSanitizedUrl');
+        $rootScope.$apply();
+        expect(element.find('a').prop('href').baseVal).toBe('someSanitizedUrl');
+        expect($$sanitizeUri).toHaveBeenCalledWith($rootScope.testUrl, false);
+      });
+    });
+
+
+    it('should use $$sanitizeUri when working with svg and xlink:href', function() {
+      var $$sanitizeUri = jasmine.createSpy('$$sanitizeUri');
+      module(function($provide) {
+        $provide.value('$$sanitizeUri', $$sanitizeUri);
+      });
+      inject(function($compile, $rootScope) {
+        element = $compile('<svg><a xlink:href="" ng-href="{{ testUrl }}"></a></svg>')($rootScope);
+        $rootScope.testUrl = "evilUrl";
+
+        $$sanitizeUri.andReturn('someSanitizedUrl');
+        $rootScope.$apply();
+        expect(element.find('a').prop('href').baseVal).toBe('someSanitizedUrl');
+        expect($$sanitizeUri).toHaveBeenCalledWith($rootScope.testUrl, false);
+      });
+    });
   });
 
   describe('interpolation on HTML DOM event handler attributes onclick, onXYZ, formaction', function() {