Skip to content

fix(core): validate security-sensitive attributes in i18n bindings#68439

Merged
alxhub merged 1 commit into
angular:mainfrom
alan-agius4:security-i18n
Apr 30, 2026
Merged

fix(core): validate security-sensitive attributes in i18n bindings#68439
alxhub merged 1 commit into
angular:mainfrom
alan-agius4:security-i18n

Conversation

@alan-agius4

@alan-agius4 alan-agius4 commented Apr 29, 2026

Copy link
Copy Markdown
Contributor

Ensures that security-sensitive attributes (e.g., sandbox, allow) are correctly validated when applied through i18n-* dynamic attribute bindings, preventing potential policy bypasses.

Closes #68418

@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: patch This PR is targeted for the next patch release labels Apr 29, 2026
@pullapprove pullapprove Bot requested review from josephperrott and kirjs April 29, 2026 09:18
@angular-robot angular-robot Bot added the area: core Issues related to the framework runtime label Apr 29, 2026
@ngbot ngbot Bot added this to the Backlog milestone Apr 29, 2026
@alan-agius4
fix(core): validate security-sensitive attributes in i18n bindings
02e08ed 
Ensures that security-sensitive attributes (e.g., sandbox, allow) are correctly validated when applied through i18n-* dynamic attribute bindings, preventing potential policy bypasses.

Closes angular#68418
josephperrott
josephperrott approved these changes Apr 29, 2026
View reviewed changes

@josephperrott josephperrott left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pullapprove pullapprove Bot requested a review from josephperrott April 29, 2026 14:14
josephperrott
josephperrott approved these changes Apr 29, 2026
View reviewed changes

@josephperrott josephperrott left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Reviewed-for: fw-security

@AndrewKushnir AndrewKushnir removed the action: review The PR is still awaiting reviews from at least one requested reviewer label Apr 29, 2026
@AndrewKushnir AndrewKushnir removed the request for review from kirjs April 29, 2026 15:33
@alan-agius4 alan-agius4 added the action: merge The PR is ready for merge by the caretaker label Apr 29, 2026
@alan-agius4 alan-agius4 requested a review from alxhub April 30, 2026 06:37
alxhub
alxhub approved these changes Apr 30, 2026
View reviewed changes

@alxhub alxhub left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed-for: fw-security

@alxhub alxhub merged commit 9d7a609 into angular:main Apr 30, 2026
36 of 41 checks passed
@alxhub

alxhub commented Apr 30, 2026

Copy link
Copy Markdown
Member

This PR was merged into the repository. The changes were merged into the following branches:

@angular-automatic-lock-bot

angular-automatic-lock-bot Bot commented May 31, 2026

Copy link
Copy Markdown

This pull request has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot Bot locked and limited conversation to collaborators May 31, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@alxhub alxhub alxhub approved these changes

@josephperrott josephperrott josephperrott approved these changes

@AndrewKushnir AndrewKushnir AndrewKushnir approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: core Issues related to the framework runtime target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

Security: Angular i18n sandbox interpolation bypass lets same-origin preview iframes read parent-page data

4 participants

@alan-agius4 @alxhub @josephperrott @AndrewKushnir