XLTS for AngularJS v1.5.16 Released

exploitatively-ceasing

‍

Bug Fixes

• textarea: avoid interpolating when going back/forward on IE
  • This fixes a Medium Severity XSS vulnerability (CVE-2022-25869).
  • This fix was cherry-picked from the v1.9.x branch.
• input: prevent browsers from autofilling hidden inputs
  • Autofilling with previous values (which will then be $interpolated) could lead to XSS or errors.
  • This fix was cherry-picked from the v1.8.x branch.

‍

New Features

• Angular: implement angular.version.vendor
  • This now holds the value "XLTS.dev" for ease of determining if a supported version of AngularJS is running in a given app

‍

Breaking Changes

textarea due to:

• avoid interpolating when going back/forward on IE
  
  ‍‍Previously, the HTML contents of <textarea> elements were interpolated on all browsers. Due to security considerations, the HTML contents of <textarea> elements are no longer interpolated on Internet Explorer.
  
  If you want to set the <textarea> element's value by evaluating an AngularJS expression, you can use ng-bind. For example:
  
  <!-- Before: -->
  <textarea>{{ 1 + 2 }}</textarea>
  
  <!-- After: -->
  <textarea ng-bind="1 + 2"></textarea>

‍

‍

FAQ

Updated: March 5, 2024

The first high-severity CVE since AngularJS End of Life has been officially reported. For AngularJS Never-Ending Support (formerly XLTS) clients, we found this CVE last year and issued a fix immediately. For all others, as Google’s official AngularJS long-term support partner, we encourage you to either:

1. Migrate off of AngularJS, or
2. Contact HeroDevs about how you can keep your AngularJS environment secure, compliant, and compatible indefinitely.