Commits on Oct 15, 2025

1. fix(@angular/ssr): prevent malicious URL from overriding host …

   A request with a specially crafted URL starting with a double slash (e.g., `//example.com`) could cause the server-side rendering logic to interpret the request as being for a different host. This is due to the behavior of the `URL` constructor when a protocol-relative URL is passed as the first argument.
   
   This vulnerability could be exploited to make the server execute requests to a malicious domain when relative paths are used within the application (e.g., via `HttpClient`), potentially leading to content injection or other security risks.
   
   The fix ensures that the request URL is always constructed as a full URL string, including the protocol and host, before being passed to the `URL` constructor. This prevents the host from being overridden by the path.
   
   Closes #31464
   
   (cherry picked from commit 619c6bc)

   

   alan-agius4 authored and hybrist committed Oct 15, 2025
   Configuration menu

   • View commit details
   • Copy full SHA for 9136a5d
   • Browse repository at this point

   Copy the full SHA

   9136a5d View commit details

   Browse the repository at this point in the history

2. release: cut the v19.2.18 release

   

   hybrist committed Oct 15, 2025
   Configuration menu

   • View commit details
   • Copy full SHA for 8590f19
   • Browse repository at this point

   Copy the full SHA

   8590f19 View commit details

   Browse the repository at this point in the history