Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

fix(ngSanitize): Blacklist the attribyte usemap #13826

Closed
wants to merge 1 commit into from
Closed

fix(ngSanitize): Blacklist the attribyte usemap #13826

wants to merge 1 commit into from

Conversation

lgalfaso
Copy link
Contributor

Given that the attribute name is blacklisted, the attribute usemap should be
blacklisted too.

@lgalfaso
fix(ngSanitize): Blacklist the attribute usemap
2bc5fde 
Given that the attribute `name` is blacklisted, the attribute `usemap` should be
blacklisted too.
lgalfaso added a commit that referenced this pull request Jan 22, 2016
@lgalfaso
fix(ngSanitize): Blacklist the attribute usemap
234053f 
Given that the attribute `name` is blacklisted, the attribute `usemap` should be
blacklisted too.

Closes: ##13826
@Narretz
Copy link
Contributor

Narretz commented Jan 24, 2016

This has landed in master, I guess we should backport to 1.4?

@petebacondarwin
Copy link
Contributor

Difficulty is that it is a BC for 1.4

@Narretz
Copy link
Contributor

Narretz commented Jan 25, 2016

Ok, then let's just keep it as it is in 1.4

@Narretz Narretz closed this Jan 25, 2016
@breadtk
Copy link

breadtk commented Feb 2, 2016

FWIW the change log calls this out simply as a breaking change. Perhaps it should be relabeled as a "Security Note" to denote its importance?

gkalpak added a commit that referenced this pull request Feb 3, 2016
@gkalpak
docs(CHANGELOG.md): more explicitly mention that the usemap posed s…
52c21fe 
…ecurity risks

(Related to #13826 (comment).)
@breadtk
Copy link

breadtk commented Feb 6, 2016

Thanks @gkalpak!

@marekciupak
Copy link

marekciupak commented Jun 28, 2016
edited
Loading

Since this one wasn't applied to 1.2.x branch, should I consider 1.2.x version as vulnerable or the problem in 1.2 does not exist?

I'm wondering if the fixes are still applied to 1.2.x. The official web page suggests that there are, but wanted to make sure the description in the page is updated.

This branch contains a legacy version of AngularJS that supports IE8 (v1.2.x on Github) (..)will only receive security fixes (...)

@gkalpak
Copy link
Member

gkalpak commented Jul 12, 2016

@marekciupak, you are right, this should be backported to 1.2.x 👍
On it...

@mend-for-jiasu.xzqcsaa.nyc.mn mend-for-jiasu.xzqcsaa.nyc.mn bot mentioned this pull request Oct 21, 2020
Open
@mend-for-jiasu.xzqcsaa.nyc.mn mend-for-jiasu.xzqcsaa.nyc.mn bot mentioned this pull request Dec 18, 2020
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Jan 7, 2021
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Mar 10, 2021
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this pull request Apr 8, 2021
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@petebacondarwin petebacondarwin

Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@lgalfaso @Narretz @petebacondarwin @breadtk @marekciupak @gkalpak @googlebot