Commits on Dec 1, 2025

1. fix(compiler): prevent XSS via SVG animation attributeName and Math… …

   …ML/SVG URLs
   
   This commit implements a security fix to prevent XSS vulnerabilities where SVG animation elements (`<animate>`, `<set>`, etc.) could be used to modify the `href` or `xlink:href` attributes of other elements to `javascript:` URLs.
   
   The fix introduces a runtime validation step:
   - A new [ɵɵValidateAttribute](cci:1://file:///usr/local/google/home/alanagius/git/angular/packages/core/src/sanitization/sanitization.ts:276:0-288:1) instruction is used when `attributeName` is bound on SVG animation elements.
   - If executed, a `RuntimeError` is thrown, preventing the binding.
   - The compiler now identifies `attributeName` on SVG animation elements as security-sensitive and injects this validation.
   
   Additionally, the DOM security schema has been updated to include a comprehensive list of MathML and SVG elements that accept `href` or `xlink:href` attributes, ensuring they are correctly treated as `SecurityContext.URL` and sanitized. This prevents malicious URLs from being bound to these attributes.
   
   http://b/463880509

   

   alan-agius4 authored and crisbeto committed Dec 1, 2025
   Configuration menu

   • View commit details
   • Copy full SHA for d1ca8ae
   • Browse repository at this point

   Copy the full SHA

   d1ca8ae View commit details

   Browse the repository at this point in the history

2. release: cut the v20.3.15 release

   

   crisbeto committed Dec 1, 2025
   Configuration menu

   • View commit details
   • Copy full SHA for 4755bbd
   • Browse repository at this point

   Copy the full SHA

   4755bbd View commit details

   Browse the repository at this point in the history