angular.js v1.8.0 Release Notes

Release Date: 2020-06-01 // about 1 month ago
  • 🚀 This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@koto); and independently by Esben Sparre Andreasen (@esbena) while performing a Variant Analysis of CVE-2020-11022 which itself was found and reported by Masato Kinugawa (@masatokinugawa).

    🐛 Bug Fixes

    • jqLite:
      • prevent possible XSS due to regex-based HTML replacement (2df43c)

    💥 Breaking Changes

    jqLite due to:

    • 2df43c: prevent possible XSS due to regex-based HTML replacement

    JqLite no longer turns XHTML-like strings like <div /><span /> to sibling elements <div></div><span></span> 💻 when not in XHTML mode. Instead it will leave them as-is. The browser, in non-XHTML mode, will convert these to: <div><span></span></div>.

    🔒 This is a security fix to avoid an XSS vulnerability if a new jqLite element is created from a user-controlled HTML string. ⏪ If you must have this functionality and understand the risk involved then it is posible to restore the original behavior by calling

    angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement();
    

    🚚 But you should adjust your code for this change and remove your use of this function as soon as possible.

    ⬆️ Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the jQuery 3.5 upgrade guide for more details about the workarounds.


Previous changes from v1.7.9