Skip to content

A couple of sanitization fixes #67561

Merged
mattrbeck merged 2 commits into
angular:mainfrom
crisbeto:more-xss
Mar 12, 2026
Merged

A couple of sanitization fixes #67561
mattrbeck merged 2 commits into
angular:mainfrom
crisbeto:more-xss

Conversation

@crisbeto

@crisbeto crisbeto commented Mar 11, 2026

Copy link
Copy Markdown
Member

Includes a couple of fixes around sanitization.

@crisbeto crisbeto added the target: patch This PR is targeted for the next patch release label Mar 11, 2026
@angular-robot angular-robot Bot added area: compiler Issues related to `ngc`, Angular's template compiler area: core Issues related to the framework runtime labels Mar 11, 2026
@ngbot ngbot Bot added this to the Backlog milestone Mar 11, 2026
@crisbeto crisbeto requested a review from AndrewKushnir March 11, 2026 17:31
@crisbeto crisbeto added the action: review The PR is still awaiting reviews from at least one requested reviewer label Mar 11, 2026
@crisbeto crisbeto marked this pull request as ready for review March 11, 2026 17:31
josephperrott
josephperrott approved these changes Mar 11, 2026
View reviewed changes

@josephperrott josephperrott left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Reviewed-for: fw-security

crisbeto added 2 commits March 12, 2026 10:25
@crisbeto
fix(core): sanitize translated form attributes
2e2cb71 
Fixes that we weren't sanitizing the `form` and `formaction` attributes when they're used together with translations.
@crisbeto
fix(compiler): disallow translations of iframe src
fb912f6 
Fixes that the compiler was allowing translations of `src` attributes in iframes which can be a security issue.
alan-agius4
alan-agius4 approved these changes Mar 12, 2026
View reviewed changes

@alan-agius4 alan-agius4 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Reviewed-for: fw-security

@crisbeto

crisbeto commented Mar 12, 2026

Copy link
Copy Markdown
Member Author

Passing TGP

@crisbeto crisbeto added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Mar 12, 2026
@mattrbeck mattrbeck merged commit 78dea55 into angular:main Mar 12, 2026
21 checks passed
@mattrbeck

mattrbeck commented Mar 12, 2026

Copy link
Copy Markdown
Member

This PR was merged into the repository. The changes were merged into the following branches:

@LEEKIYOON-SEC LEEKIYOON-SEC mentioned this pull request Mar 17, 2026
Open
@angular-automatic-lock-bot

angular-automatic-lock-bot Bot commented Apr 12, 2026

Copy link
Copy Markdown

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot Bot locked and limited conversation to collaborators Apr 12, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@josephperrott josephperrott josephperrott approved these changes

@alan-agius4 alan-agius4 alan-agius4 approved these changes

@AndrewKushnir AndrewKushnir AndrewKushnir approved these changes

+1 more reviewer

@securityMB securityMB securityMB approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: compiler Issues related to `ngc`, Angular's template compiler area: core Issues related to the framework runtime target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

6 participants

@crisbeto @mattrbeck @josephperrott @securityMB @alan-agius4 @AndrewKushnir