XLTS for AngularJS v1.5.15 Released

daintily-cracking

This release introduces features and fixes, including breaking changes, related to the $http module that improve security when using JSONP. It also updates the license field in our package.json based on the latest npm documentation.

‍

Bug Fixes

• $http:
  • fix a potential DoS RegExp issue

‍

New Features

• $http:
  • a JSONP callback must be specified by jsonpCallbackParam config
    • This fixes a Medium Severity JSONP Callback Attack vulnerability.
  • all JSONP requests now require a trusted resource URL
    • This fixes a Medium Severity XSS vulnerability.

‍

Breaking Changes

$http due to:

• a JSONP callback must be specified by jsonpCallbackParam config
  
  You can no longer use the JSON_CALLBACK placeholder in your JSONP requests. Instead, you must provide the name of the query parameter that will pass the callback via the jsonpCallbackParam property of the config object, or app-wide via the $http.defaults.jsonpCallbackParam property, which is "callback" by default.
  
  Before this change:
  
  $http.json('trusted/url?callback=JSON_CALLBACK');
$http.json('other/trusted/url', { params: { cb: 'JSON_CALLBACK' } });

After this change:

$http.json('trusted/url');
$http.json('other/trusted/url', { callbackParam: 'cb' });
‍


• all JSONP requests now require a trusted resource URL
  
  All JSONP requests now require the URL to be trusted as resource URLs. There are two approaches to trust a URL:
  
  Whitelisting with the
  ‍$sceDelegateProvider.resourceUrlWhitelist() method.
  
  You configure this list in a module configuration block:

appModule.config([
 '$sceDelegateProvider',
 function ($sceDelegateProvider) {
   $sceDelegateProvider.resourceUrlWhiteList([
     // Allow same origin resource loads.
     'self',
     // Allow JSONP calls that match this pattern
     'https://some.dataserver.com/**.jsonp?**',
   ]);
 },
]);
  Explicitly trusting the URL via the $sce.trustAsResourceUrl(url) method
  
  You can pass a trusted object instead of a string as a URL to the $http service:var promise = $http.jsonp($sce.trustAsResourceUrl(url));
  

‍

With this release, we have completed the process of back-porting all the security fixes from AngularJS 1.8.2 to XLTS for AngularJS 1.5.x.

‍

FAQ

Updated: March 5, 2024

The first high-severity CVE since AngularJS End of Life has been officially reported. For AngularJS Never-Ending Support (formerly XLTS) clients, we found this CVE last year and issued a fix immediately. For all others, as Google’s official AngularJS long-term support partner, we encourage you to either:

1. Migrate off of AngularJS, or
2. Contact HeroDevs about how you can keep your AngularJS environment secure, compliant, and compatible indefinitely.