common
| Commit | Description |
|---|---|
| add upper bounds for digitsInfo | |
| sanitize placeholder |
compiler
| Commit | Description |
|---|---|
| normalize tag names with custom namespaces in DomElementSchemaRegistry (#68868) | |
| prevent namespaced SVG <style> elements from being stripped | |
| sanitize dynamic href and xlink:href bindings on SVG a elements (#68868) |
core
| Commit | Description |
|---|---|
| do not register dom triggers when defer blocks are in manual mode | |
| normalize tag names in runtime i18n attribute security context lookup (#68868) | |
| prevent rxResource from leaking a subscription | |
| sanitize meta selectors |
forms
| Commit | Description |
|---|---|
| avoid redundant invalidations in parser errors signal |
http
| Commit | Description |
|---|---|
| exclude withCredentials requests from transfer cache | |
| Introduce a max buffer size for fetch requests on SSR | |
prevent httpResource from leaking a subscription
| |
| skip TransferCache for cookie-bearing requests by default |
platform-server
| Commit | Description |
|---|---|
| prevent SSRF bypasses via backslash URLs in HttpClient | |
| secure location and document initialization against SSRF and path hijack |
service-worker
| Commit | Description |
|---|---|
| Preserves explicit 'credentials: omit' in asset requests | |
| Preserves HTTP cache mode in asset group requests |