AngularJS 1.5.x

1.5.23 (NES / XLTS) - July 18, 2024

Bug Fixes

• *: preserve license file headers in minified files
• *: use correct names and versions in bower.json files

New Features

• jqLite: add opt-in mode for compatibility with jQuery v4 via angular.jqLite_jQueryLt4CompatibilityEnabled()
• See Compatibility with jQuery v4 for more information.

1.5.22 (NES / XLTS) - May 21, 2024

Bug Fixes

• $compile: always sanitize image sources on <source> element
  • This fixes a Medium Severity Content Spoofing vulnerability (CVE-2024-8373)
• srcset: prevent bypassing image source sanitization with (ng(Attr/Prop))Srcset
  • This fixes a Medium Severity Content Spoofing vulnerability (CVE-2024-8372)

1.5.21 (NES) - February 6, 2024

Notes

• Repackaging XLTS for AngularJS as AngularJS NES
  • XLTS merged with HeroDevs in September 2023 and continues to support AngularJS under Never Ending Support (NES)
• AngularJS NES v1.9.4 is functionally equivalent to XLTS for AngularJS v1.9.3

1.5.19 (XLTS) - August 18, 2023

Bug Fixes

• $compile: fix a vulnerable performance issue in ng-srcset parsing
  • This fixes a High Severity ReDoS vulnerability (CVE-2024-21490)
• route: suppress warning from CodeQL regarding escaping backslash characters

1.5.18 (XLTS) - August 4, 2023

Bug Fixes

• ngAnimate: make animation duration calculation compatible with CSS Animations Level 2
• browserTrigger: fix focus triggering in IE with jQuery >=3.7.0
• bootstrap: no longer trigger RegExp warning in CodeQL scans

1.5.17 (XLTS) - February 7, 2023

Bug Fixes

• $resource: improve performance when stripping trailing slashes
  • This fixes a Medium Severity ReDoS vulnerability (CVE-2023-26117)
• Angular:
  • collect jQuery nodes between two elements correctly for jQuery v4 preview
  • improve performance of regular expression used in angular.copy
    • This fixes a Medium Severity ReDoS vulnerability (CVE-2023-26116)
• input: make URL_REGEXP less ambiguous
  • This fixes a Medium Severity ReDoS vulnerability (CVE-2023-26118)

1.5.16 (XLTS) - June 8, 2022

Bug Fixes

• textarea: avoid interpolating when going back/forward on IE
  • This fixes a Medium Severity XSS vulnerability (CVE-2022-25869)

New Features

• Angular: implement angular.version.vendor
  • This now holds the value "XLTS.dev" for ease of determining if a supported version of AngularJS is running in a given app

Breaking Changes

• textarea: Avoid interpolating when going back/forward on IE. Previously, the HTML contents of <textarea> elements were interpolated on all browsers. Due to security considerations, the HTML contents of <textarea> elements are no longer interpolated on Internet Explorer. If you want to set the <textarea> element's value by evaluating an AngularJS expression, you can use ng-bind or ng-prop-value. For example:

<!-- Before: -->
<textarea>{{ 1 + 2 }}</textarea>

<!-- After: -->
<textarea ng-bind="1 + 2"></textarea>

1.5.15 (XLTS) - February 7, 2022

Bug Fixes

• $http:
  • fix a potential DoS RegExp issue

New Features

• $http:
  • a JSONP callback must be specified by jsonpCallbackParam config
    • This fixes a Medium Severity JSONP Callback Attack vulnerability.
  • all JSONP requests now require a trusted resource URL
    • This fixes a Medium Severity XSS vulnerability.

Breaking Changes

• $http: A JSONP callback must be specified by jsonpCallbackParam config. You can no longer use the JSON_CALLBACK placeholder in your JSONP requests. Instead, you must provide the name of the query parameter that will pass the callback via the jsonpCallbackParam property of the config object, or app-wide via the $http.defaults.jsonpCallbackParam property, which is "callback" by default.Before this change:

$http.json('trusted/url?callback=JSON_CALLBACK');
$http.json('other/trusted/url', { params: { cb: 'JSON_CALLBACK' } });

After this change:

$http.json('trusted/url');
$http.json('other/trusted/url', { callbackParam: 'cb' });

• $http: All JSONP requests now require a trusted resource URL. There are two approaches to trust a URL:

Whitelisting with the $sceDelegateProvider.resourceUrlWhitelist() method You configure this list in a module configuration block:

appModule.config([
  '$sceDelegateProvider',
  function ($sceDelegateProvider) {
    $sceDelegateProvider.resourceUrlWhiteList([
      // Allow same origin resource loads.
      'self',
      // Allow JSONP calls that match this pattern
      'https://some.dataserver.com/**.jsonp?**',
    ]);
  },
]);

Explicitly trusting the URL via the $sce.trustAsResourceUrl(url) method You can pass a trusted object instead of a string as a URL to the $http service:

var promise = $http.jsonp($sce.trustAsResourceUrl(url));

With this release, we have completed the process of back-porting all the security fixes from AngularJS 1.8.2 to XLTS for AngularJS 1.5.x.

1.5.14 (XLTS) - December 3, 2021

Bug Fixes

• $sanitize:
  • do not trigger CSP alert/report in Firefox and Chrome
  • sanitize xml:base attributes
    • This fixes a Medium Severity XSS vulnerability.
  • use appropriate inert document strategy for Firefox and Safari
    • This fixes a Medium Severity XSS vulnerability.
  • prevent clobbered elements from freezing the browser
    • This fixes a Medium Severity Denial of Service vulnerability.
• Angular: avoid catastrophic backtracking in XHTML_TAG_REGEXP
• jqLite: define jqLite.htmlPrefilter inline
• angular.merge: do not merge proto property
  • This fixes a High Severity vulnerability associated with CVE-2019-10768

1.5.13 (XLTS) - August 20, 2021

Bug Fixes

• jqLite: prevent possible XSS due to regex-based HTML replacement
  • This fixes Medium Severity and High Severity vulnerabilities associated with CVE-2020-7676
  • This fix was cherry-picked from the v1.8.x branch
• docs: remove extra . in error link URLs

New Features

• jqLite: print warnings for problematic HTML input

Breaking Changes

• jqLite due to:
  • jqLite: prevent possible XSS due to regex-based HTML replacement
  • See https://jquery.com/upgrade-guide/3.5/

This applies a similar change to jqLite. Using self-closing tags in HTML is no longer supported.

1.5.12 (XLTS) - August 1, 2021

This is the first XLTS for AngularJS 1.5.x release! 🚀

As such, there have been updates to the License and the Security Policy. New security issues should be sent to security@xlts.dev.

Bug Fixes

• sanitizeUri: sanitize URIs that contain IDEOGRAPHIC SPACE chars
  • This is a Medium Severity Security fix for a XSS vulnerability in Chrome 62 and earlier.
  • This fix was cherry-picked from the v1.7.x branch
• jqlite: nosel error points to an invalid URL
• $interpolate: fix docs URL in noconcat error
• $sce: fix docs URL in iequirks error
• misc:
  • update error reference links to use code.angularjs.xlts.dev
  • fix 28 security warnings in build, test, and release tooling
• browserTrigger: support CompositionEvent
• grunt-utils: insert the core CSS styles without using innerHTML
• Angular:
  • add workaround for Safari / Webdriver problem
  • do not auto bootstrap if the src exists but is empty
  • do not auto bootstrap if the currentScript has been clobbered
  • do not auto bootstrap if the script source is bad and inside SVG
• minErr: update url to https
• docs:
  • linting cleanup of the web worker used for search
  • fix @media breakpoints for small/extra small devices
• ngScenario: completely remove the angular scenario runner

Breaking Changes

• ngScenario: Completely remove the angular scenario runner. The angular scenario runner end-to-end test framework has been removed from the project and will no longer be available on npm starting with 1.5.12. It was deprecated and removed from the documentation in 2014. Applications that still use it should migrate to Protractor or another e2e testing framework