fix(core): fix possible XSS attack in development through SSR #40525
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mhevery
added
the
area: security
mhevery
added
area: core
IgorMinar
approved these changes
Jan 22, 2021
IgorMinar
added
the
action: cleanup
|
and the CI seems unhappy, PTAL |
IgorMinar
reviewed
Jan 22, 2021
mhevery
removed
the
action: cleanup
IgorMinar
approved these changes
Jan 22, 2021
jessicajaniuk
pushed a commit
that referenced
this pull request
Jan 22, 2021
This is a follow up fix for 894286d. It turns out that comments can be closed in several ways: - `<!-->` - `<!-- -->` - `<!-- --!>` All of the above are valid ways to close comment per: https://html.spec.whatwg.org/multipage/syntax.html#comments The new fix surrounds `<` and `>` with zero width space so that it renders in the same way, but it prevents the comment to be closed eagerly. PR Close #40525
jessicajaniuk
pushed a commit
to jessicajaniuk/angular
that referenced
this pull request
Jan 23, 2021
…angular#40525)" This reverts commit bb3b315. Reason for Revert: Issues with Google3 TAP Failures
jessicajaniuk
pushed a commit
that referenced
this pull request
Jan 23, 2021
jessicajaniuk
pushed a commit
that referenced
this pull request
Jan 23, 2021
|
We had to rollback this due to legitimate failing targets in google3. Please take a look. |
AndrewKushnir
added
state: blocked
and removed
action: merge
gkalpak
reviewed
Jan 23, 2021
This is a follow up fix for angular@894286d. It turns out that comments can be closed in several ways: - `<!-->` - `<!-- -->` - `<!-- --!>` All of the above are valid ways to close comment per: https://html.spec.whatwg.org/multipage/syntax.html#comments The new fix surrounds `<` and `>` with zero width space so that it renders in the same way, but it prevents the comment to be closed eagerly.
jessicajaniuk
pushed a commit
that referenced
this pull request
Jan 26, 2021
This is a follow up fix for 894286d. It turns out that comments can be closed in several ways: - `<!-->` - `<!-- -->` - `<!-- --!>` All of the above are valid ways to close comment per: https://html.spec.whatwg.org/multipage/syntax.html#comments The new fix surrounds `<` and `>` with zero width space so that it renders in the same way, but it prevents the comment to be closed eagerly. PR Close #40525
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
mhevery
added a commit
that referenced
this pull request
Mar 18, 2021
This is a follow up fix for 894286d. It turns out that comments can be closed in several ways: - `<!-->` - `<!-- -->` - `<!-- --!>` All of the above are valid ways to close comment per: https://html.spec.whatwg.org/multipage/syntax.html#comments The new fix surrounds `<` and `>` with zero width space so that it renders in the same way, but it prevents the comment to be closed eagerly. PR Close #40525
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a follow up fix for 894286d.
It turns out that comments can be closed in several ways:
<!--><!-- --><!-- --!>All of the above are valid ways to close comment per:
https://html.spec.whatwg.org/multipage/syntax.html#comments
The new fix surrounds
<and>with zero width space so that itrenders in the same way, but it prevents the comment to be closed eagerly.
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
Issue Number: N/A
What is the new behavior?
Does this PR introduce a breaking change?
Other information