@angular/core 19.2.18 → 19.2.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (52) hide show
  1. package/event_dispatcher.d-K56StcHr.d.ts +1 -1
  2. package/fesm2022/core.mjs +34 -14
  3. package/fesm2022/core.mjs.map +1 -1
  4. package/fesm2022/primitives/di.mjs +1 -1
  5. package/fesm2022/primitives/di.mjs.map +1 -1
  6. package/fesm2022/primitives/event-dispatch.mjs +1 -1
  7. package/fesm2022/primitives/event-dispatch.mjs.map +1 -1
  8. package/fesm2022/primitives/signals.mjs +1 -1
  9. package/fesm2022/primitives/signals.mjs.map +1 -1
  10. package/fesm2022/rxjs-interop.mjs +1 -1
  11. package/fesm2022/rxjs-interop.mjs.map +1 -1
  12. package/fesm2022/testing.mjs +1 -1
  13. package/fesm2022/testing.mjs.map +1 -1
  14. package/fesm2022/untracked-BKcld_ew.mjs +1 -1
  15. package/fesm2022/untracked-BKcld_ew.mjs.map +1 -1
  16. package/index.d.ts +1 -1
  17. package/navigation_types.d-fAxd92YV.d.ts +1 -1
  18. package/package.json +1 -1
  19. package/primitives/di/index.d.ts +1 -1
  20. package/primitives/event-dispatch/index.d.ts +1 -1
  21. package/primitives/signals/index.d.ts +1 -1
  22. package/rxjs-interop/index.d.ts +1 -1
  23. package/schematics/bundles/add-bootstrap-context-to-server-main.cjs +2 -2
  24. package/schematics/bundles/{apply_import_manager-BDckZ-aO.cjs → apply_import_manager-QEWElZT-.cjs} +3 -3
  25. package/schematics/bundles/{change_tracker-EC4_OX_3.cjs → change_tracker-BPk3UwXG.cjs} +2 -2
  26. package/schematics/bundles/{checker-B7WeiY-n.cjs → checker-DLkGMJj-.cjs} +5 -4
  27. package/schematics/bundles/cleanup-unused-imports.cjs +5 -5
  28. package/schematics/bundles/compiler_host-CAfDJO3W.cjs +1 -1
  29. package/schematics/bundles/control-flow-migration.cjs +3 -3
  30. package/schematics/bundles/explicit-standalone-flag.cjs +3 -3
  31. package/schematics/bundles/imports-CIX-JgAN.cjs +1 -1
  32. package/schematics/bundles/{index-DyN3x_2s.cjs → index-BPwBW8Gv.cjs} +4 -4
  33. package/schematics/bundles/{index-DeAjKhiO.cjs → index-iQYWEThN.cjs} +12 -12
  34. package/schematics/bundles/inject-migration.cjs +3 -3
  35. package/schematics/bundles/leading_space-D9nQ8UQC.cjs +1 -1
  36. package/schematics/bundles/{migrate_ts_type_references-L5PQQLA-.cjs → migrate_ts_type_references-BhOqwhYA.cjs} +5 -5
  37. package/schematics/bundles/ng_decorators-B5HCqr20.cjs +1 -1
  38. package/schematics/bundles/nodes-B16H9JUd.cjs +1 -1
  39. package/schematics/bundles/output-migration.cjs +6 -6
  40. package/schematics/bundles/pending-tasks.cjs +3 -3
  41. package/schematics/bundles/{project_paths-DIZUxMOI.cjs → project_paths-DePtMwan.cjs} +3 -3
  42. package/schematics/bundles/project_tsconfig_paths-CDVxT6Ov.cjs +1 -1
  43. package/schematics/bundles/property_name-BBwFuqMe.cjs +1 -1
  44. package/schematics/bundles/provide-initializer.cjs +3 -3
  45. package/schematics/bundles/route-lazy-loading.cjs +3 -3
  46. package/schematics/bundles/self-closing-tags-migration.cjs +4 -4
  47. package/schematics/bundles/signal-input-migration.cjs +7 -7
  48. package/schematics/bundles/signal-queries-migration.cjs +7 -7
  49. package/schematics/bundles/signals.cjs +7 -7
  50. package/schematics/bundles/standalone-migration.cjs +4 -4
  51. package/testing/index.d.ts +1 -1
  52. package/weak_ref.d-DWHPG08n.d.ts +1 -1
package/event_dispatcher.d-K56StcHr.d.ts CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- * @license Angular v19.2.18
2
+ * @license Angular v19.2.20
3
3
  * (c) 2010-2025 Google LLC. https://angular.io/
4
4
  * License: MIT
5
5
  */
package/fesm2022/core.mjs CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- * @license Angular v19.2.18
2
+ * @license Angular v19.2.20
3
3
  * (c) 2010-2025 Google LLC. https://angular.io/
4
4
  * License: MIT
5
5
  */
@@ -10880,6 +10880,13 @@ const VALID_ATTRS = merge(URI_ATTRS, HTML_ATTRS, ARIA_ATTRS);
10880
10880
  // `Some content`, but strip `invalid-element` opening/closing tags. For some elements, though, we
10881
10881
  // don't want to preserve the content, if the elements themselves are going to be removed.
10882
10882
  const SKIP_TRAVERSING_CONTENT_IF_INVALID_ELEMENTS = tagSet('script,style,template');
10883
+ /**
10884
+ * Attributes that are potential attach vectors and may need to be sanitized.
10885
+ */
10886
+ const SENSITIVE_ATTRS = merge(URI_ATTRS,
10887
+ // Note: we don't include these attributes in `URI_ATTRS`, because `URI_ATTRS` also
10888
+ // determines whether an attribute should be dropped when sanitizing an HTML string.
10889
+ tagSet('action,formaction,data,codebase'));
10883
10890
  /**
10884
10891
  * SanitizingHtmlSerializer serializes a DOM fragment, stripping out any unsafe elements and unsafe
10885
10892
  * attributes.
@@ -18079,7 +18086,7 @@ class ComponentFactory extends ComponentFactory$1 {
18079
18086
  const cmpDef = this.componentDef;
18080
18087
  ngDevMode && verifyNotAnOrphanComponent(cmpDef);
18081
18088
  const tAttributes = rootSelectorOrNode
18082
- ? ['ng-version', '19.2.18']
18089
+ ? ['ng-version', '19.2.20']
18083
18090
  : // Extract attributes and classes from the first selector only to match VE behavior.
18084
18091
  extractAttrsAndClassesFromSelector(this.componentDef.selectors[0]);
18085
18092
  // Create the root view. Uses empty TView and ContentTemplate.
@@ -29469,7 +29476,7 @@ function i18nAttributesFirstPass(tView, index, values) {
29469
29476
  // the compiler treats static i18n attributes as regular attribute bindings.
29470
29477
  // Since this may not be the first i18n attribute on this element we need to pass in how
29471
29478
  // many previous bindings there have already been.
29472
- generateBindingUpdateOpCodes(updateOpCodes, message, previousElementIndex, attrName, countBindings(updateOpCodes), null);
29479
+ generateBindingUpdateOpCodes(updateOpCodes, message, previousElementIndex, attrName, countBindings(updateOpCodes), SENSITIVE_ATTRS[attrName.toLowerCase()] ? _sanitizeUrl : null);
29473
29480
  }
29474
29481
  }
29475
29482
  tView.data[index] = updateOpCodes;
@@ -29795,15 +29802,9 @@ function walkIcuTree(ast, tView, tIcu, lView, sharedUpdateOpCodes, create, remov
29795
29802
  const attr = elAttrs.item(i);
29796
29803
  const lowerAttrName = attr.name.toLowerCase();
29797
29804
  const hasBinding = !!attr.value.match(BINDING_REGEXP);
29798
- // we assume the input string is safe, unless it's using a binding
29799
29805
  if (hasBinding) {
29800
29806
  if (VALID_ATTRS.hasOwnProperty(lowerAttrName)) {
29801
- if (URI_ATTRS[lowerAttrName]) {
29802
- generateBindingUpdateOpCodes(update, attr.value, newIndex, attr.name, 0, _sanitizeUrl);
29803
- }
29804
- else {
29805
- generateBindingUpdateOpCodes(update, attr.value, newIndex, attr.name, 0, null);
29806
- }
29807
+ generateBindingUpdateOpCodes(update, attr.value, newIndex, attr.name, 0, SENSITIVE_ATTRS[lowerAttrName] ? _sanitizeUrl : null);
29807
29808
  }
29808
29809
  else {
29809
29810
  ngDevMode &&
@@ -29812,8 +29813,27 @@ function walkIcuTree(ast, tView, tIcu, lView, sharedUpdateOpCodes, create, remov
29812
29813
  `(see ${XSS_SECURITY_URL})`);
29813
29814
  }
29814
29815
  }
29816
+ else if (VALID_ATTRS[lowerAttrName]) {
29817
+ if (SENSITIVE_ATTRS[lowerAttrName]) {
29818
+ // Don't sanitize, because no value is acceptable in sensitive attributes.
29819
+ // Translators are not allowed to create URIs.
29820
+ if (typeof ngDevMode !== 'undefined' && ngDevMode) {
29821
+ console.warn(`WARNING: ignoring unsafe attribute ` +
29822
+ `${lowerAttrName} on element ${tagName} ` +
29823
+ `(see ${XSS_SECURITY_URL})`);
29824
+ }
29825
+ addCreateAttribute(create, newIndex, attr.name, 'unsafe:blocked');
29826
+ }
29827
+ else {
29828
+ addCreateAttribute(create, newIndex, attr.name, attr.value);
29829
+ }
29830
+ }
29815
29831
  else {
29816
- addCreateAttribute(create, newIndex, attr);
29832
+ if (typeof ngDevMode !== 'undefined' && ngDevMode) {
29833
+ console.warn(`WARNING: ignoring unknown attribute name ` +
29834
+ `${lowerAttrName} on element ${tagName} ` +
29835
+ `(see ${XSS_SECURITY_URL})`);
29836
+ }
29817
29837
  }
29818
29838
  }
29819
29839
  const elementNode = {
@@ -29882,8 +29902,8 @@ function addCreateNodeAndAppend(create, marker, text, appendToParentIdx, createA
29882
29902
  }
29883
29903
  create.push(text, createAtIdx, icuCreateOpCode(0 /* IcuCreateOpCode.AppendChild */, appendToParentIdx, createAtIdx));
29884
29904
  }
29885
- function addCreateAttribute(create, newIndex, attr) {
29886
- create.push((newIndex << 1 /* IcuCreateOpCode.SHIFT_REF */) | 1 /* IcuCreateOpCode.Attr */, attr.name, attr.value);
29905
+ function addCreateAttribute(create, newIndex, attrName, attrValue) {
29906
+ create.push((newIndex << 1 /* IcuCreateOpCode.SHIFT_REF */) | 1 /* IcuCreateOpCode.Attr */, attrName, attrValue);
29887
29907
  }
29888
29908
 
29889
29909
  // i18nPostprocess consts
@@ -34786,7 +34806,7 @@ class Version {
34786
34806
  /**
34787
34807
  * @publicApi
34788
34808
  */
34789
- const VERSION = new Version('19.2.18');
34809
+ const VERSION = new Version('19.2.20');
34790
34810
 
34791
34811
  /**
34792
34812
  * Combination of NgModuleFactory and ComponentFactories.