Blog

XLTS for AngularJS 1.5.x v1.5.15 Released

Michael Prentice
Feb 7, 2022

daintily-cracking

This release introduces features and fixes, including breaking changes, related to the $http module that improve security when using JSONP. It also updates the license field in our package.json based on the latest npm documentation.

Bug Fixes

  • $http:
    • fix a potential DoS RegExp issue

New Features

  • $http:
    • a JSONP callback must be specified by jsonpCallbackParam config
    • all JSONP requests now require a trusted resource URL

Breaking Changes

$http due to:

  • a JSONP callback must be specified by jsonpCallbackParam config

    You can no longer use the JSON_CALLBACK placeholder in your JSONP requests. Instead, you must provide the name of the query parameter that will pass the callback via the jsonpCallbackParam property of the config object, or app-wide via the $http.defaults.jsonpCallbackParam property, which is "callback" by default.

    Before this change:

    $http.json('trusted/url?callback=JSON_CALLBACK');
    $http.json('other/trusted/url', { params: { cb: 'JSON_CALLBACK' } });
    

    After this change:

    $http.json('trusted/url');
    $http.json('other/trusted/url', { callbackParam: 'cb' });
    
  • all JSONP requests now require a trusted resource URL

    All JSONP requests now require the URL to be trusted as resource URLs. There are two approaches to trust a URL:

    Whitelisting with the $sceDelegateProvider.resourceUrlWhitelist() method.

    You configure this list in a module configuration block:

    appModule.config([
      '$sceDelegateProvider',
      function ($sceDelegateProvider) {
        $sceDelegateProvider.resourceUrlWhiteList([
          // Allow same origin resource loads.
          'self',
          // Allow JSONP calls that match this pattern
          'https://some.dataserver.com/**.jsonp?**',
        ]);
      },
    ]);
    

    Explicitly trusting the URL via the $sce.trustAsResourceUrl(url) method

    You can pass a trusted object instead of a string as a URL to the $http service:

    var promise = $http.jsonp($sce.trustAsResourceUrl(url));
    

With this release, we have completed the process of back-porting all the security fixes from AngularJS 1.8.2 to XLTS for AngularJS 1.5.x.

Michael Prentice
Feb 7, 2022