Exciting news! XLTS.dev is now part of the HeroDevs never-ending support initiative. Same great product. Same great service. Read the announcement for more information!

XLTS for AngularJS v1.5.15 Released

Michael Prentice
Feb 7, 2022

Apr 26, 2024

daintily-cracking

This release introduces features and fixes, including breaking changes, related to the $http module that improve security when using JSONP. It also updates the license field in our package.json based on the latest npm documentation.

Bug Fixes

  • $http:
    • fix a potential DoS RegExp issue

New Features

  • $http:
    • a JSONP callback must be specified by jsonpCallbackParam config
    • all JSONP requests now require a trusted resource URL

Breaking Changes

$http due to:

  • a JSONP callback must be specified by jsonpCallbackParam config

    You can no longer use the JSON_CALLBACK placeholder in your JSONP requests. Instead, you must provide the name of the query parameter that will pass the callback via the jsonpCallbackParam property of the config object, or app-wide via the $http.defaults.jsonpCallbackParam property, which is "callback" by default.

    Before this change:

    $http.json('trusted/url?callback=JSON_CALLBACK');
    $http.json('other/trusted/url', { params: { cb: 'JSON_CALLBACK' } });
    

    After this change:

    $http.json('trusted/url');
    $http.json('other/trusted/url', { callbackParam: 'cb' });
    
  • all JSONP requests now require a trusted resource URL

    All JSONP requests now require the URL to be trusted as resource URLs. There are two approaches to trust a URL:

    Whitelisting with the $sceDelegateProvider.resourceUrlWhitelist() method.

    You configure this list in a module configuration block:

    appModule.config([
      '$sceDelegateProvider',
      function ($sceDelegateProvider) {
        $sceDelegateProvider.resourceUrlWhiteList([
          // Allow same origin resource loads.
          'self',
          // Allow JSONP calls that match this pattern
          'https://some.dataserver.com/**.jsonp?**',
        ]);
      },
    ]);
    

    Explicitly trusting the URL via the $sce.trustAsResourceUrl(url) method

    You can pass a trusted object instead of a string as a URL to the $http service:

    var promise = $http.jsonp($sce.trustAsResourceUrl(url));
    

With this release, we have completed the process of back-porting all the security fixes from AngularJS 1.8.2 to XLTS for AngularJS 1.5.x.

FAQ

Updated: March 5, 2024

The first high-severity CVE since AngularJS End of Life has been officially reported. For AngularJS Never-Ending Support (formerly XLTS) clients, we found this CVE last year and issued a fix immediately. For all others, as Google’s official AngularJS long-term support partner, we encourage you to either:

  1. Migrate off of AngularJS, or
  2. Contact HeroDevs about how you can keep your AngularJS environment secure, compliant, and compatible indefinitely.
Michael Prentice
Feb 7, 2022

Apr 26, 2024