Return to Blog
XLTS for AngularJS 1.5.x
XLTS for AngularJS v1.5.15 Released
XLTS for AngularJS v1.5.15 announcements and release notes.
Share via:

daintily-cracking
This release introduces features and fixes, including breaking changes, related to the $http
module that improve security when using JSONP. It also updates the license
field in our package.json
based on the latest npm documentation.
Bug Fixes
- $http:
- fix a potential DoS RegExp issue
New Features
- $http:
- a JSONP callback must be specified by
jsonpCallbackParam
config- This fixes a Medium Severity JSONP Callback Attack vulnerability.
- all JSONP requests now require a trusted resource URL
- This fixes a Medium Severity XSS vulnerability.
- a JSONP callback must be specified by
Breaking Changes
$http due to:
- a JSONP callback must be specified by
jsonpCallbackParam
config
You can no longer use theJSON_CALLBACK
placeholder in your JSONP requests. Instead, you must provide the name of the query parameter that will pass the callback via thejsonpCallbackParam
property of the config object, or app-wide via the$http.defaults.jsonpCallbackParam
property, which is"callback"
by default.
Before this change:$http.json('trusted/url?callback=JSON_CALLBACK');
$http.json('other/trusted/url', { params: { cb: 'JSON_CALLBACK' } });
fter this change:
A
$http.json('trusted/url');
$http.json('other/trusted/url', { callbackParam: 'cb' });
- all JSONP requests now require a trusted resource URL
All JSONP requests now require the URL to be trusted as resource URLs. There are two approaches to trust a URL:
Whitelisting with the
$sceDelegateProvider.resourceUrlWhitelist()
method.
You configure this list in a module configuration block:
appModule.config([
'$sceDelegateProvider',
function ($sceDelegateProvider) {
$sceDelegateProvider.resourceUrlWhiteList([
// Allow same origin resource loads.
'self',
// Allow JSONP calls that match this pattern
'https://some.dataserver.com/**.jsonp?**',
]);
},
]);
Explicitly trusting the URL via the$sce.trustAsResourceUrl(url)
method
You can pass a trusted object instead of a string as a URL to the$http
service:var promise = $http.jsonp($sce.trustAsResourceUrl(url));
With this release, we have completed the process of back-porting all the security fixes from AngularJS 1.8.2 to XLTS for AngularJS 1.5.x.
FAQ
Updated: March 5, 2024
The first high-severity CVE since AngularJS End of Life has been officially reported. For AngularJS Never-Ending Support (formerly XLTS) clients, we found this CVE last year and issued a fix immediately. For all others, as Google’s official AngularJS long-term support partner, we encourage you to either:
- Migrate off of AngularJS, or
- Contact HeroDevs about how you can keep your AngularJS environment secure, compliant, and compatible indefinitely.
Subscribe for New Post Alerts
Oops! Something went wrong while submitting the form.