angular.js v1.8.0 Release NotesRelease Date: 2020-06-01 // about 1 month ago
🚀 This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@koto); and independently by Esben Sparre Andreasen (@esbena) while performing a Variant Analysis of CVE-2020-11022 which itself was found and reported by Masato Kinugawa (@masatokinugawa).
🐛 Bug Fixes
- prevent possible XSS due to regex-based HTML replacement (2df43c)
💥 Breaking Changes
jqLite due to:
- 2df43c: prevent possible XSS due to regex-based HTML replacement
JqLite no longer turns XHTML-like strings like
<div /><span />to sibling elements
<div></div><span></span>💻 when not in XHTML mode. Instead it will leave them as-is. The browser, in non-XHTML mode, will convert these to:
🔒 This is a security fix to avoid an XSS vulnerability if a new jqLite element is created from a user-controlled HTML string. ⏪ If you must have this functionality and understand the risk involved then it is posible to restore the original behavior by calling
🚚 But you should adjust your code for this change and remove your use of this function as soon as possible.
⬆️ Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the jQuery 3.5 upgrade guide for more details about the workarounds.