Skip to content
This repository has been archived by the owner on Apr 12, 2024. It is now read-only.

Commit

Permalink
docs(*): update changelog for 1.8.0
Browse files Browse the repository at this point in the history
  • Loading branch information
petebacondarwin committed Jun 4, 2020
1 parent 78ab691 commit e55d352
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,33 @@

<a name="1.8.0"></a>
# 1.8.0 nested-vaccination (2020-06-01)

## Bug Fixes
- **jqLite:**
- prevent possible XSS due to regex-based HTML replacement
([2df43c](https://github.com/angular/angular.js/commit/2df43c07779137d1bddf7f3b282a1287a8634acd))

## Breaking Changes

### **jqLite** due to:
- **[2df43c](https://github.com/angular/angular.js/commit/2df43c07779137d1bddf7f3b282a1287a8634acd)**: prevent possible XSS due to regex-based HTML replacement

JqLite no longer turns XHTML-like strings like `<div /><span />` to sibling elements `<div></div><span></span>`
when not in XHTML mode. Instead it will leave them as-is. The browser, in non-XHTML mode, will convert these to:
`<div><span></span></div>`.

This is a security fix to avoid an XSS vulnerability if a new jqLite element is created from a user-controlled HTML string.
If you must have this functionality and understand the risk involved then it is posible to restore the original behavior by calling

```js
angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement();
```

But you should adjust your code for this change and remove your use of this function as soon as possible.

Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the [jQuery 3.5 upgrade guide](https://jquery.com/upgrade-guide/3.5/) for more details about the workarounds.


<a name="1.7.9"></a>
# 1.7.9 pollution-eradication (2019-11-19)

Expand Down

0 comments on commit e55d352

Please sign in to comment.