merrily-celebrating

Bug Fixes

• $sanitize:
  • do not trigger CSP alert/report in Firefox and Chrome
  • sanitize xml:base attributes
    • This fixes a Medium Severity XSS vulnerability.
  • use appropriate inert document strategy for Firefox and Safari
    • This fixes a Medium Severity XSS vulnerability.
  • prevent clobbered elements from freezing the browser
    • This fixes a Medium Severity Denial of Service vulnerability.
• Angular: avoid catastrophic backtracking in XHTML_TAG_REGEXP
• jqLite: define jqLite.htmlPrefilter inline
• angular.merge: do not merge proto property
  • This fixes a High Severity vulnerability associated with CVE-2019-10768

FAQ

Updated: March 5, 2024

The first high-severity CVE since AngularJS End of Life has been officially reported. For AngularJS Never-Ending Support (formerly XLTS) clients, we found this CVE last year and issued a fix immediately. For all others, as Google’s official AngularJS long-term support partner, we encourage you to either:

1. Migrate off of AngularJS, or
2. Contact HeroDevs about how you can keep your AngularJS environment secure, compliant, and compatible indefinitely.