AngularJS 1.4.x

1.4.16 (NES) - October 31, 2025

Notes

• This release backports security fixes as well as jQuery and browser compatibility fixes from newer versions to the 1.4.x packages.
• Some of the fixes required some breaking changes. See the "Breaking Changes" section below for more details.
• Full package names and versions:
  • @neverendingsupport/angularjs@1.4.14-angularjs-1.4.16
  • @neverendingsupport/angularjs-animate@1.4.14-angularjs-1.4.16
  • @neverendingsupport/angularjs-aria@1.4.14-angularjs-1.4.16
  • @neverendingsupport/angularjs-cookies@1.4.14-angularjs-1.4.16
  • @neverendingsupport/angularjs-i18n@1.4.14-angularjs-1.4.16
  • @neverendingsupport/angularjs-loader@1.4.14-angularjs-1.4.16
  • @neverendingsupport/angularjs-message-format@1.4.14-angularjs-1.4.16
  • @neverendingsupport/angularjs-messages@1.4.14-angularjs-1.4.16
  • @neverendingsupport/angularjs-mocks@1.4.14-angularjs-1.4.16
  • @neverendingsupport/angularjs-resource@1.4.14-angularjs-1.4.16
  • @neverendingsupport/angularjs-route@1.4.14-angularjs-1.4.16
  • @neverendingsupport/angularjs-sanitize@1.4.14-angularjs-1.4.16
  • @neverendingsupport/angularjs-touch@1.4.14-angularjs-1.4.16

Bug Fixes

• *:
  • don't trigger jQuery Migrate warnings
  • collect jQuery nodes between two elements correctly
  • avoid catastrophic backtracking in XHTML_TAG_REGEXP
  • allow auto-bootstrapping from inline script
  • do not bootstrap from unknown schemes with a different origin
  • explicitly whitelist URL schemes for bootstrap
  • do not auto-bootstrap if the src exists but is empty
  • do not auto-bootstrap if the currentScript has been clobbered
  • do not auto-bootstrap if the script source is bad and inside SVG
  • do not auto-bootstrap when loaded from an extension
    • This fixes a Medium Severity Content Security Policy (CSP) Bypass vulnerability (npm:angular:20161101)
• angular.copy: make a regex used in angular.copy DoS-safe
  • This fixes a Medium Severity Regular expression Denial of Service (ReDoS) vulnerability (CVE-2023-26116)
• angular.merge: do not merge __proto__ property
  • This fixes a High Severity Prototype Pollution vulnerability (CVE-2019-10768)
• browserTrigger:
  • support CompositionEvent
  • fix focus triggering in IE with jQuery >=3.7.0
• jqLite:
  • silently ignore after() if element has no parent
  • prevent possible XSS due to regex-based HTML replacement
    • This fixes a High Severity Cross Site Scripting (XSS) vulnerability (SNYK-JS-ANGULAR-572020)
    • This fixes a Medium Severity Cross Site Scripting (XSS) vulnerability (CVE-2020-7676)
  • update the last version without the fix
  • define jqLite.htmlPrefilter inline
• $$cookieReader: correctly handle forbidden access to document.cookie
• $browser: set the URL even if the browser transforms it
• $compile:
  • properly sanitize xlink:href attribute interpolation
    • This fixes a High Severity Cross Site Scripting vulnerability (CVE-2019-14863)
  • lower the $sce context for src on video, audio, source, track
  • fix a possible ReDoS in ng-srcset parsing
    • This fixes a High Severity Regular expression Denial of Service (ReDoS) vulnerability (CVE-2024-21490)
  • always sanitize image sources on <source> element
    • This fixes a Medium Severity Content Spoofing vulnerability (CVE-2024-8373)
  • always sanitize image sources on <image> SVG element
    • This fixes a Medium Severity Content Spoofing vulnerability (CVE-2025-0716)
  • improve performance of comment-based directive collection
  • improve performance of srcset attribute sanitization
• $http:
  • all JSONP requests now require a trusted resource URL
    • This fixes a Medium Severity JSONP Callback Attack vulnerability (npm:angular:20150315)
    • This fixes a Medium Severity Cross Site Scripting vulnerability (SNYK-JS-ANGULAR-471879)
  • a JSONP callback must be specified by jsonpCallbackParam config
    • This fixes a Medium Severity JSONP Callback Attack vulnerability (npm:angular:20150315)
  • fix a potential DoS RegExp issue
• $injector: improve performance of implicit dependency annotation
• $location: prevent infinite digest with IDN urls in Edge
• $parse: block assigning to fields of a constructor prototype
• $resource: avoid DoS in stripping trailing slashes
  • This fixes a Medium Severity Regular expression Denial of Service (ReDoS) vulnerability (CVE-2023-26117)
• $sanitize:
  • support void elements, fixups, remove dead code, typos
  • make svg support an opt-in
    • This fixes a Medium Severity Clickjacking vulnerability (npm:angular:20150807-1)
  • add mXSS protection
    • This fixes a High Severity Cross Site Scripting (XSS) vulnerability (npm:angular:20150909)
  • strip urls starting with unsafe: as opposed to unsafe
  • blacklist SVG <use> elements
    • This fixes a Medium Severity Cross Site Scripting (XSS) vulnerability (npm:angular:20151205)
  • reduce stack height in IE <= 11
  • prevent clobbered elements from freezing the browser
    • This fixes a Medium Severity Cross Site Scripting (XSS) vulnerability (SNYK-JS-ANGULAR-471885)
  • use appropriate inert document strategy for Firefox and Safari
    • This fixes a Medium Severity Cross Site Scripting (XSS) vulnerability (SNYK-JS-ANGULAR-471882)
  • sanitize xml:base attributes
    • This fixes a Medium Severity Cross Site Scripting (XSS) vulnerability (npm:angular:20180202)
  • do not trigger CSP alert/report in Firefox and Chrome
  • sanitize image sources on <image> SVG elements
    • This fixes a Medium Severity Content Spoofing vulnerability (CVE-2025-2336)
• sanitizeUri: sanitize URIs that contain IDEOGRAPHIC SPACE chars
  • This fixes a Medium Severity Cross Site Scripting (XSS) vulnerability (npm:angular:20171018)
• $sce: fix adjustMatcher to replace multiple * and **
• $sniffer:
  • fix history sniffing in Chrome Packaged Apps
  • don't use history.pushState in sandboxed Chrome Packaged Apps
• input:
  • remove workaround for Firefox bug
  • prevent browsers from autofilling hidden inputs
  • make URL_REGEXP less ambiguous
    • This fixes a Medium Severity Regular expression Denial of Service (ReDoS) vulnerability (CVE-2023-26118)
• linky: prevent ReDoS when searching for URLs in text
  • This fixes a Medium Severity Regular expression Denial of Service (ReDoS) vulnerability (CVE-2025-4690)
• srcset: prevent bypassing image source sanitization with (ng(Attr))Srcset
  • This fixes a Medium Severity Content Spoofing vulnerability (CVE-2024-8372)
• textarea: avoid interpolating when going back/forward on IE
  • This fixes a Medium Severity Cross Site Scripting (XSS) vulnerability (CVE-2022-25869)
• modules: allow modules to be loaded in any order when using angular-loader
• angular-loader: ensure "closure" globals are available
• ngAnimate: make animation duration calculation compatible with CSS Animations Level 2
• ngSanitize: blacklist the attribute usemap
  • This fixes a Medium Severity Cross Site Scripting (XSS) vulnerability (npm:angular:20160122)
• grunt-utils: insert the core CSS styles without using innerHTML

New Features

• jqLite:
  • print warnings for problematic HTML input
  • add opt-in mode for compatibility with jQuery v4
• $swipe: add pointer support

Breaking Changes

jqLite

• prevent possible XSS due to regex-based HTML replacement
  See the jQuery 3.5 Upgrade Guide. This commit applies a similar change in jqLite. Using self-closing tags in HTML is no longer supported.

$compile

• always sanitize image sources on <image> SVG element
  In the unlikely case that an app relied on trusted $sce.RESOURCE_URL values, via $sceDelegateProvider.resourceUrlWhitelist() or $sce.trustAs($sce.RESOURCE_URL, ...) or $sce.trustAsResourceUrl(), for the purpose of binding to the xlink:href property of <image> SVG elements and if the values do not pass the regular image URL sanitization, the affected SVG images will not be rendered.
  To fix this, you need to ensure that the values used for binding to the xlink:href attributes of <image> SVG elements are considered safe image URLs, via $compileProvider.imgSrcSanitizationWhitelist().
  Before:

  angular
      .module('myApp')
      .config(['$sceDelegateProvider', $sceDelegateProvider => {
        $sceDelegateProvider.resourceUrlWhitelist([
          // ...other resource URLs...
  
          // Allow resource URLs from `https://my.domain.com/images/`
          // for the purpose of using with `image[xlink:href]`.
          /https:\/\/my\.domain\.com\/images\/.*/,
        ]);
      }]);
  // ...or...
  angular
      .module('myApp')
      .run(['$rootScope', '$sce', ($rootScope, $sce) => {
        // Trust a specific URL as a resource URL for the purpose
        // of using in templates with `image[xlink:href]`.
        $rootScope.trustedImageUrl = $sce.trustAsResourceUrl(
            'https://my.domain.com/images/some-image.png');
      }]);
  
  
  After:

  angular
      .module('myApp')
      .config([
        '$compileProvider', '$sceDelegateProvider',
        ($compileProvider, $sceDelegateProvider) => {
          $sceDelegateProvider.resourceUrlWhitelist([
            // ...other resource URLs...
          ]);
  
          $compileProvider.imgSrcSanitizationWhitelist(
            // Allow image URLs from `https://my.domain.com/images/`
            // for the purpose of using with `<img>` or `<image>`.
            /^https:\/\/my\.domain\.com\/images\//,
  
            // ...or...
  
            // Trust specific URLs as image URLs for the purpose
            // of using in templates with `<img>` or `<image>`.
            /^https:\/\/my\.domain\.com\/images\/(?:some-image\.png|other-image\.jpg)$/,
          );
        },
      ]);
  

$http

• all JSONP requests now require a trusted resource URL
  All JSONP requests now require the URL to be trusted as resource URLs. There are two approaches to trust a URL:
  Whitelisting with the $sceDelegateProvider.resourceUrlWhitelist() method.
  You configure this list in a module configuration block:

  appModule.config(['$sceDelegateProvider', function($sceDelegateProvider) {
    $sceDelegateProvider.resourceUrlWhitelist([
      // Allow same origin resource loads.
      'self',
      // Allow JSONP calls that match this pattern
      'https://some.dataserver.com/**.jsonp?**'
    ]);
  }]);
  
  
  Explicitly trusting the URL via the $sce.trustAsResourceUrl(url) method
  You can pass a trusted object instead of a string as a URL to the $http service:

  var promise = $http.jsonp($sce.trustAsResourceUrl(url));
  
• a JSONP callback must be specified by jsonpCallbackParam config
  You can no longer use the JSON_CALLBACK placeholder in your JSONP requests. Instead you must provide the name of the query parameter that will pass the callback via the jsonpCallbackParam property of the config object, or app-wide via the $http.defaults.jsonpCallbackParam property, which is "callback" by default.
  Before this change:

  $http.jsonp('trusted/url?callback=JSON_CALLBACK');
  $http.jsonp('other/trusted/url', {params: {cb: 'JSON_CALLBACK'}});
  
  
  After this change:

  $http.jsonp('trusted/url');
  $http.jsonp('other/trusted/url', {jsonpCallbackParam: 'cb'});
  

$sanitize

• make svg support an opt-in
  The svg support in $sanitize is now an opt-in option.
  Applications that depend on this option can use $sanitizeProvider.enableSvg(true) to turn the option back on, but while doing so, please read the warning provided in the documentation for information on preventing click-hijacking attacks when this option is turned on.
• blacklist SVG <use> elements
  The <use> element is now removed from SVG passed to the $sanitize service.
  This element is only used to import external SVG resources, which is a security risk as the $sanitize service does not have access to the resource in order to sanitize it.
• blacklist the attribute usemap
  The $sanitize service will now remove instances of the usemap attribute from any elements passed to it.
  This attribute is used to reference another element by name or id. Since the name and id attributes are already blacklisted, a sanitized usemap attribute could only reference unsanitized content, which is a security risk.

textarea

• avoid interpolating when going back/forward on IE
  Previously, the HTML contents of <textarea> elements were interpolated on all browsers. Due to how page caching works on Internet Explorer, this could lead to a <textarea> value's being interpolated when navigating back/forward to a page, even when the value was not originally inline in the HTML.
  Due to security considerations, the HTML contents of <textarea> elements are no longer interpolated on Internet Explorer. If you want to set the <textarea> element's value by evaluating an AngularJS expression, you can use ng-bind.
  For example:

  <!-- Before: -->
  <textarea>{{ 1 + 2 }}</textarea>
  
  <!-- After: -->
  <textarea ng-bind="1 + 2"></textarea>
  

1.4.15 (NES) - October 17, 2025

Notes

• This release contains no functional change from the OSS angular v1.4.14.
• This release mainlines OSS v1.4.14 into NES v1.4.15.
• Full package names and versions:
  • @neverendingsupport/angularjs@1.4.14-angularjs-1.4.15
  • @neverendingsupport/angularjs-animate@1.4.14-angularjs-1.4.15
  • @neverendingsupport/angularjs-aria@1.4.14-angularjs-1.4.15
  • @neverendingsupport/angularjs-cookies@1.4.14-angularjs-1.4.15
  • @neverendingsupport/angularjs-i18n@1.4.14-angularjs-1.4.15
  • @neverendingsupport/angularjs-loader@1.4.14-angularjs-1.4.15
  • @neverendingsupport/angularjs-message-format@1.4.14-angularjs-1.4.15
  • @neverendingsupport/angularjs-messages@1.4.14-angularjs-1.4.15
  • @neverendingsupport/angularjs-mocks@1.4.14-angularjs-1.4.15
  • @neverendingsupport/angularjs-resource@1.4.14-angularjs-1.4.15
  • @neverendingsupport/angularjs-route@1.4.14-angularjs-1.4.15
  • @neverendingsupport/angularjs-sanitize@1.4.14-angularjs-1.4.15
  • @neverendingsupport/angularjs-touch@1.4.14-angularjs-1.4.15