Skip to content

Security hardening fixes#33377

Merged
crisbeto merged 8 commits into
angular:mainfrom
crisbeto:more-security
Jun 11, 2026
Merged

Security hardening fixes#33377
crisbeto merged 8 commits into
angular:mainfrom
crisbeto:more-security

Conversation

@crisbeto

@crisbeto crisbeto commented Jun 11, 2026

Copy link
Copy Markdown
Member

Includes some fixes for potential security issues. See the individual commits for context.

crisbeto added 8 commits June 11, 2026 09:33
@crisbeto
build: sanitize parsed comments
8811343 
Adds some logic to avoid accidental HTML injection through the Markdown renderer.
@crisbeto
build: avoid command injection in golden script
d55c957 
Avoids command injection in the API golden script by using `exec` instead of interpolating the entire command.
@crisbeto
build: avoid command injection when creating package archives
ed39c02 
Reworks the package archive script to avoid command injection by going through `exec` instead of constructing the command using string concatenation.
@crisbeto
refactor: avoid prototype pollution in keyboard manager
61896f5 
Makes the check whether an input is a modifier more robust against prototype pollution.
@crisbeto
fix(cdk/layout): avoid CSS injection attacks in media matcher
e14d353 
The media matcher needs to create a dummy stylesheet to work around some browser quirks. These changes ensure we don't accidentally inject malicious CSS into the page.
@crisbeto
fix(material/stepper): validate animation durations
0df0042 
The `animationDuration` input is a potential CSS injection attack vector, because we pass the value directly along to the `animation-duration` binding. These changes mitigate the risk by validating the incoming value.
@crisbeto
fix(material/grid-list): always validate colspan
3f6ea51 
We were dropping the `colspan` validation error in production mode which meant that it can go into an infinite loop.
@crisbeto
fix(material/bottom-sheet): ensure animation event comes from container
f15cb64 
Previous we were relying on the animation name to ensure that we only capture the correct animation. These changes harden it by also checking the event's `target`.
@crisbeto crisbeto requested a review from ok7sai June 11, 2026 07:43
@crisbeto crisbeto added target: patch This PR is targeted for the next patch release merge: preserve commits When the PR is merged, a rebase and merge should be performed labels Jun 11, 2026
@pullapprove pullapprove Bot requested a review from josephperrott June 11, 2026 07:43
@crisbeto crisbeto removed the request for review from josephperrott June 11, 2026 11:01
@crisbeto crisbeto added the action: merge The PR is ready for merge by the caretaker label Jun 11, 2026
@pullapprove pullapprove Bot requested a review from josephperrott June 11, 2026 11:01
@crisbeto crisbeto merged commit cd10a97 into angular:main Jun 11, 2026
47 of 50 checks passed
@crisbeto

crisbeto commented Jun 11, 2026

Copy link
Copy Markdown
Member Author

This PR was merged into the repository. The changes were merged into the following branches:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ok7sai ok7sai ok7sai approved these changes

@josephperrott josephperrott Awaiting requested review from josephperrott

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: build & ci Related the build and CI infrastructure of the project area: cdk/layout area: material/bottom-sheet area: material/grid-list area: material/stepper merge: preserve commits When the PR is merged, a rebase and merge should be performed target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@crisbeto @ok7sai