This reverts commit 9d9cdfb575.
This commit was causing breakages because of its assumption that transcluded
content would be handled predictably, i.e. with ngTransclude, whereas many
use cases involve manipulating transcluded content in linking functions.
Fix the following exploit:
hasOwnProperty.constructor.prototype.valueOf = valueOf.call;
["a", "alert(1)"].sort(hasOwnProperty.constructor);
The exploit:
• 1. Array.sort takes a comparison function and passes it 2 parameters to compare.
2. It then calls .valueOf() if the result is not a primitive.
• The Function object conveniently accepts two string arguments so we can use this
to construct a function. However, this doesn't do much unless we can execute it.
• We set the valueOf function on Function.prototype to Function.prototype.call.
This causes the function that we constructed to be executed when sort calls
.valueOf() on the result of the comparison.
The fix is in two parts.
• Disallow passing unsafe objects to function calls as parameters.
• Do not traverse the Function object when setting a path.
Previously when a negative number was rounded to 0 by the number filter
it would be formated as a negative number. This means something like
{{ -0.01 | number: 1 }} would output -0.0. Now it will ouput 0.0
instead.
Closes#8489
BREAKING CHANGE:
The `blur` and `focus` event fire synchronously, also during DOM operations
that remove elements. This lead to errors as the Angular model was not
in a consistent state. See this [fiddle](http://jsfiddle.net/fq1dq5yb/) for a demo.
This change executes the expression of those events using
`scope.$evalAsync` if an `$apply` is in progress, otherwise
keeps the old behavior.
Fixes#4979Fixes#5945Closes#8803Closes#6910Closes#5402
-Log the value that had the duplicate key, as well as the key
The error that is thrown when items have duplicate track by keys can be
confusing because only the duplicate key is logged. If the user didn't
provide that key themselves, they may not know what it is or what item
it corresponds to.
When addClass and removeClass are called in parallel it may
cause follow-up animations to get blocked. This fix ensures
that the validity state CSS classes are applied at the same
time via $animate.setClass.
Closes#8166
Also changes the wording to include the word "escaped" and "escape", which may help users find the
information they're looking for via searching. (ノ◕ヮ◕)ノ*:・゚✧
Closes#8770
Make angular.equals() Date comparison NaN-aware to prevent infinite digest errors when a dealy watched
date has an invalid value.
Closes#8650Closes#8715
Do not trim input[type=password] values
BREAKING CHANGE:
Previously, input[type=password] would trim values by default, and would require an explicit ng-trim="false"
to disable the trimming behaviour. After this CL, ng-trim no longer effects input[type=password], and will
never trim the password value.
Closes#8250Closes#8230
Conflicts:
src/ng/directive/input.js
The $sanitize service was returning an empty string to the error page
because the input was usually a single html tag (sometimes it could be
`document`). This fix replaces angle brackets with html entities.
Closes#8683
It's not clear until you read the whole thing that it's an explanation
of what *not* to do and why, so if you scan the page from the top, you
may use this bad solution.
The example for $cacheFactory breaks when a user tries to update a value for a key.
Setting a new value for an existing key results in duplicate key entries in the key array, thus
breaking the ng-repeat directive. With this fix the key is only added if it isn't contained in the
cache.
Closes#8214
Currently, legacy browsers get to use a clever scheme for resolving relative URIs in html5Mode,
and resolve the URI relative to $location.path().
Currently, $location.path() can be '/' under certain circumstances, which means that when we
split $location.path() on '/' and later join by '/' after adding another path component,
we end up with '//pathComponent'. $$rewrite fails to deal with this correctly, and effectively
the $location is never changed from the root path.
This CL corrects this by ensuring that the duplicate '/' situation does not occur when resolving
relative URIs.
Closes#8684
In some scenarios you want to be able to specify properties on the event
that is passed to the event handler. JQuery does this by overloading the
first parameter (`eventName`). If it is an object with a `type` property
then we assume that it must be a custom event.
In this case the custom event must provide the `type` property which is
the name of the event to be triggered. `triggerHandler` will continue to
provide dummy default functions for `preventDefault()`, `isDefaultPrevented()`
and `stopPropagation()` but you may override these with your own versions
in your custom object if you wish.
In addition the commit provides some performance and memory usage
improvements by only creating objects and doing work that is necessary.
This commit also renames the parameters inline with jQuery.
Closes#8469Closes#8505
Update parent and child scopes correctly when a '='-binding changes from a NaN value.
TBR by angular-core
Closes#8553Closes#8554
Conflicts:
test/ng/compileSpec.js
