angular.js v1.8.0 Release Notes

Release Date: 2020-06-01 // over 1 year ago
  • ๐Ÿš€ This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@koto); and independently by Esben Sparre Andreasen (@esbena) while performing a Variant Analysis of CVE-2020-11022 which itself was found and reported by Masato Kinugawa (@masatokinugawa).

    ๐Ÿ› Bug Fixes

    • jqLite:
      • prevent possible XSS due to regex-based HTML replacement (2df43c)

    ๐Ÿ’ฅ Breaking Changes

    jqLite due to:

    • 2df43c: prevent possible XSS due to regex-based HTML replacement

    JqLite no longer turns XHTML-like strings like <div /><span /> to sibling elements <div></div><span></span> ๐Ÿ’ป when not in XHTML mode. Instead it will leave them as-is. The browser, in non-XHTML mode, will convert these to: <div><span></span></div>.

    ๐Ÿ”’ This is a security fix to avoid an XSS vulnerability if a new jqLite element is created from a user-controlled HTML string. โช If you must have this functionality and understand the risk involved then it is posible to restore the original behavior by calling

    angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement();
    

    ๐Ÿšš But you should adjust your code for this change and remove your use of this function as soon as possible.

    โฌ†๏ธ Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the jQuery 3.5 upgrade guide for more details about the workarounds.