angular.js/CHANGELOG.md

1.3.0-beta.14 harmonious-cacophonies (2014-06-30)

This release contains security fixes for $parse that prevent arbitrary code execution via Angular expressions under some very specific conditions. The only applications affected by these vulnerabilities are those that match all of the following conditions:

• application mixes server-side and client-side templating
• the server-side templating contains XSS vulnerabilities
• the vulnerabilities in the server-side templating are being guarded by server-side XSS filters or on the client-side via CSP
• the server-side XSS vulnerabilities can be used to augment the client-side template processed by Angular

Applications not meeting all of the conditions are not vulnerable.

This fix is in both 1.3.0-beta.14 and 1.2.19 release.

The Angular team would like to thank Jann Horn for reporting these vulnerabilities via [security@angularjs.org].

Bug Fixes

• $compile: bind ng-attr-* even if unbound attribute follows ng-attr-* (8b0258d8, #7739)
• $http:
  • should not read statusText on IE<10 when request is aborted (31ae3e71)
  • add the PATCH shortcut back (b28b5caa, #5894)
• $injector: check if a fn is an array explicitly (b1a6baac, #7904, #2653)
• $interval: when canceling, use clearInterval from $window instead of global scope. (a4904c0f)
• $parse:
  • prevent invocation of Function's bind, call and apply (77ada4c8)
  • forbid proto properties in angular expressions (6081f207)
  • forbid {define,lookup}{Getter,Setter} properties (48fa3aad)
  • forbid referencing Object in angular expressions (528be29d)
  • handle constants as one-time binding expressions (d9763f1b, #7970)
• $timeout/$interval: if invokeApply is false, do not use evalAsync (19b6b343, #7999, #7103)
• Angular: nodeName should always be lowercase (dafb8a3c, #3987)
• Angular.copy: preserve prototype chain when copying objects (b59b04f9, #5063, #3767, #4996)
• core: drop the toBoolean function (bdfc9c02, #3969, #4277, #7960)
• injector: allow multiple loading of function modules (2f0a4488, #7255)
• input:
  • improve html5 validation support (1f6a5a1a, #7936, #7937)
  • escape forward slash in email regexp (b775e2bc, #7938)
• jqLite:
  • never add to the cache for non-element/document nodes (91754a76, #7966)
  • don't attach event handlers to comments or text nodes (462dbb20, #7913, #7942)
  • convert NodeList to an Array to make PhantomJS 1.x happy (ceaea861, #7851)
• numberFilter: correctly round fractions despite floating-point arithmetics issues in JS (189cd064, #7870, #7878)
• testabilityPatch: fix invocations of angular.mock.dump (e8e07502)

Features

• NgModel:
  • port the email input type to use the validators pipeline (67379242)
  • port the URL input type to use the validators pipeline (3ee65730)
• jqLite: support isDefaultPrevented for triggerHandler dummies (7e71acd1, #8008)

Performance Improvements

• forEach: use native for loop instead of forEach for Arrays (36625de0)

Breaking Changes

• $parse:
  • due to 77ada4c8,

You can no longer invoke .bind, .call or .apply on a function in angular expressions. This is to disallow changing the behaviour of existing functions in an unforseen fashion.

• due to 6081f207,

The (deprecated) proto propery does not work inside angular expressions anymore.

• due to 48fa3aad,

This prevents the use of {define,lookup}{Getter,Setter} inside angular expressions. If you really need them for some reason, please wrap/bind them to make them less dangerous, then make them available through the scope object.

• due to 528be29d,

This prevents the use of Object inside angular expressions. If you need Object.keys, make it accessible in the scope.

• Angular.copy: due to b59b04f9,

This changes angular.copy so that it applies the prototype of the original object to the copied object. Previously, angular.copy would copy properties of the original object's prototype chain directly onto the copied object.

This means that if you iterate over only the copied object's hasOwnProperty properties, it will no longer contain the properties from the prototype. This is actually much more reasonable behaviour and it is unlikely that applications are actually relying on this.

If this behaviour is relied upon, in an app, then one should simply iterate over all the properties on the object (and its inherited properties) and not filter them with hasOwnProperty.

Be aware that this change also uses a feature that is not compatible with IE8. If you need this to work on IE8 then you would need to provide a polyfill for Object.create and Object.getPrototypeOf.

• core: due to bdfc9c02, values 'f', '0', 'false', 'no', 'n', '[]' are no longer treated as falsy. Only JavaScript falsy values are now treated as falsy by the expression parser; there are six of them: false, null, undefined, NaN, 0 and "".

Closes #3969 Closes #4277 Closes #7960

1.2.19 precognitive-flashbacks (2014-06-30)

Bug Fixes

• $compile: bind ng-attr-* even if unbound attribute follows ng-attr-* (ed59370d)
• $http: should not read statusText on IE<10 when request is aborted (0c80df21)
• $injector: check if a fn is an array explicitly (67c11b9a, #7904, #2653)
• $interval: when canceling, use clearInterval from $window instead of global scope. (f780ccfa)
• $parse:
  • make the window check in ensureSafeObject IE8 friendly (ba62e975)
  • prevent invocation of Function's bind, call and apply (07fa87a8)
  • forbid proto properties in angular expressions (cb713e60)
  • forbid {define,lookup}{Getter,Setter} properties (89ca8597)
  • forbid referencing Object in angular expressions (bc6fb7cc)
• injector: allow multiple loading of function modules (d71f16e7, #7255)
• input:
  • improve html5 validation support (ab2e83c8, #7937, #7957)
  • escape forward slash in email regexp (2a45cea0, #7938)
• jqLite: change expando property to a more unique name (74e1cc68)
• numberFilter: correctly round fractions despite floating-point arithmetics issues in JS (e5f454c8, #7870, #7878)
• testabilityPatch: fix invocations of angular.mock.dump (5e944a1c)

Performance Improvements

• jqLite: don't use reflection to access expandoId (a4faa5cd)

Breaking Changes

• $parse:
  • due to 07fa87a8,

You can no longer invoke .bind, .call or .apply on a function in angular expressions. This is to disallow changing the behaviour of existing functions in an unforseen fashion.

• due to cb713e60,

The (deprecated) proto propery does not work inside angular expressions anymore.

• due to 89ca8597,

This prevents the use of {define,lookup}{Getter,Setter} inside angular expressions. If you really need them for some reason, please wrap/bind them to make them less dangerous, then make them available through the scope object.

• due to bc6fb7cc,

This prevents the use of Object inside angular expressions. If you need Object.keys, make it accessible in the scope.

1.3.0-beta.13 idiosyncratic-numerification (2014-06-16)

Bug Fixes

• jqLite: change expando property to a more unique name (20c3c9e2)

1.3.0-beta.12 ephemeral-acceleration (2014-06-13)

Bug Fixes

• $compile:
  • ensure transclude works at root of templateUrl (398053c5, #7183, #7772)
  • always error if two directives add isolate-scope and new-scope (2cde927e, #4402, #4421)
• $injector: report circularity in circular dependency error message (545d22b4, #7500)
• $parse: Handle one-time to null (600a41a7, #7743, #7787)
• NgModel:
  • ensure pattern and ngPattern use the same validator (1be9bb9d)
  • make ngMinlength and ngMaxlength as standalone directives (26d91b65, #6750)
  • make sure the ngMinlength and ngMaxlength validators use the $validators pipeline (5b8e7ecf, #6304)
  • make sure the pattern validator uses the $validators pipeline (e63d4253)
  • make sure the required validator uses the $validators pipeline (e53554a0, #5164)
• jqLite: data should store data only on Element and Document nodes (a196c8bc)
• ngResource: don't convert literal values into Resource objects when isArray is true (16dfcb61, #6314, #7741)

Features

• NgModel: introduce the $validators pipeline (a8c7cb81)
• attrs: trigger observers for specific ng-attributes (d9b90d7c, #7758)
• input: add $touched and $untouched states (adcc5a00)
• ngInclude: emit $includeContentError when HTTP request fails (e4419daf, #5803)

Performance Improvements

• $compile: move ng-binding class stamping for interpolation into compile phase (35358fdd)
• $http: move xsrf cookie check to after cache check in $http (dd1d189e, #7717)
• Scope: change Scope#id to be a simple number (8c6a8171)
• forEach: cache array length (55991e33)
• isArray: use native Array.isArray (751ebc17, #7735)
• isWindow optimize internal isWindow call (b68ac4cb)
• jqLite:
  • cache collection length for all methods that work on a single element (41d2eba5)
  • improve performance of jqLite#text (92489886)
  • optimize adding nodes to a jqLite collection (31faeaa7)
  • optimize element dealocation (e35abc9d)
  • don't use reflection to access expandoId (ea9a130a)
• ngBind: set the ng-binding class during compilation instead of linking (fd5f3896)
• shallowCopy: use Object.keys to improve performance (04468db4)

Breaking Changes

• $compile: due to 2cde927e,

Requesting isolate scope and any other scope on a single element is an error. Before this change, the compiler let two directives request a child scope and an isolate scope if the compiler applied them in the order of non-isolate scope directive followed by isolate scope directive.

Now the compiler will error regardless of the order.

If you find that your code is now throwing a $compile:multidir error, check that you do not have directives on the same element that are trying to request both an isolate and a non-isolate scope and fix your code.

Closes #4402 Closes #4421

• NgModel: due to 1be9bb9d,

If an expression is used on ng-pattern (such as ng-pattern="exp") or on the pattern attribute (something like on pattern="{{ exp }}") and the expression itself evaluates to a string then the validator will not parse the string as a literal regular expression object (a value like /abc/i). Instead, the entire string will be created as the regular expression to test against. This means that any expression flags will not be placed on the RegExp object. To get around this limitation, use a regular expression object as the value for the expression.

//before
$scope.exp = '/abc/i';

//after
$scope.exp = /abc/i;

• Scope: due to 8c6a8171, Scope#$id is now of time number rather than string. Since the id is primarily being used for debugging purposes this change should not affect anyone.
• forEach: due to 55991e33, forEach will iterate only over the initial number of items in the array. So if items are added to the array during the iteration, these won't be iterated over during the initial forEach call.

This change also makes our forEach behave more like Array#forEach.

• jqLite: due to a196c8bc, previously it was possible to set jqLite data on Text/Comment nodes, but now that is allowed only on Element and Document nodes just like in jQuery. We don't expect that app code actually depends on this accidental feature.

1.2.18 ear-extendability (2014-06-13)

Bug Fixes

• $compile:
  • ensure transclude works at root of templateUrl (fd420c40, #7183, #7772)
  • bound transclusion to correct scope (1382d4e8)
  • don't pass transcludes to non-transclude templateUrl directives (b9ddef2a)
  • don't pass transclude to template of non-transclude directive (eafba9e2)
  • fix nested isolated transclude directives (bb931097, #1809, #7499)
  • pass transcludeFn down to nested transclude directives (8df5f325, #7240, #7387)
• $injector: report circularity in circular dependency error message (14e797c1, #7500)
• ngResource: don't convert literal values into Resource objects when isArray is true (f0904cf1, #6314, #7741)

Performance Improvements

• $compile: move ng-binding class stamping for interpolation into compile phase (81b7e5ab)
• $http: move xsrf cookie check to after cache check in $http (8b86d363, #7717)
• isArray: use native Array.isArray (6c14fb1e)
• jqLite: cache collection length for all methods that work on a single element (6d418ef5)
• ngBind: set the ng-binding class during compilation instead of linking (1b189027)

1.2.17 - quantum disentanglement (2014-06-06)

Bug Fixes

• $animate:
  • remove the need to add display:block!important for ngShow/ngHide (55b2f0e8, #3813)
  • retain inline styles for property-specific transitions (ad08638c, #7503)
  • ensure class-based animations always perform a DOM operation if skipped (34d07403, #6957)
• $compile:
  • do not merge attrs that are the same for replace directives (b635903e, #7463)
  • pass transcludeFn down to nested transclude directives (11385060, #7240, #7387)
  • set $isolateScope correctly for sync template directives (5319621a, #6942)
  • reference correct directive name in ctreq error (6bea0591, #7062, #7067)
  • fix regression which affected old jQuery releases (a97a172e)
• $httpBackend: don't error when JSONP callback is called with no parameter (a7ccb753, #7031)
• $location:
  • don't clobber path during parsing of path (02058bfb, #7199)
  • fix and test html5Mode url-parsing algorithm for legacy browsers (24f7999b)
  • make legacy browsers behave like modern ones in html5Mode (e0203660, #6162, #6421, #6899, #6832, #6834)
• angular.copy: support circular references in the value being copied (5c997209, #7618)
• grunt-utils: ensure special inline CSS works when angular is not a global (d4231171, #7176)
• input:
  • fix ReferenceError in event listener (2d7cb14a)
  • don't dirty model when input event is triggered due to a placeholder change (109e5d1d, #2614, #5960)
• jqLite: use jQuery only if jQuery.fn.on is present (fafcd628)
• limitTo: do not convert Infinity to NaN (fcdac65a, #6771, #7118)
• ngAnimate: $animate methods should accept native DOM elements (9227a5db)
• ngClass:
  • support multiple classes in key (85ce5d0d)
  • handle index changes when an item is unshifted (a4cc9e19, #7256)
• ngLocale: fix i18n code-generation to support get_vf_, decimals_, and get_wt_ (96a31476)
• ngSanitize: encode surrogate pair properly (3d0b49c0, #5088, #6911)
• ngSwitch: properly support case labels with different numbers of transclude fns (32aa4915)
• numberFilter: fix rounding error edge case (0388eed7, #7453, #7478)

Features

• ngMock: add support of mocha tdd interface (6d1c6772, #7489)

Performance Improvements

• $interpolate: optimize value stringification (9d4fa33e, #7501)
• scope: 10x. Share the child scope class. (9ab9bf6b)

1.2.16 badger-enumeration (2014-04-03)

Bug Fixes

• $animate:
  • ensure the CSS driver properly works with SVG elements (38ea5426, #6030)
  • prevent cancellation timestamp from being too far in the future (35d635cb, #6748)
  • run CSS animations before JS animations to avoid style inheritance (0e5106ec, #6675)
• $parse: mark constant unary minus expressions as constant (6e420ff2, #6932)
• Scope:
  • revert the proto cleanup as that could cause regressions (2db66f5b)
  • more scope clean up on $destroy to minimize leaks (7e4e696e, #6794, #6856, #6968)
  • aggressively clean up scope on $destroy to minimize leaks (8d4d437e, #6794, #6856)
• filter.ngdoc: Check if "input" variable is defined (a275d539, #6819)
• input: don't perform HTML5 validation on updated model-value (b2363e31, #6796, #6806)
• ngClass: handle ngClassOdd/Even affecting the same classes (55fe6d63, #5271)

Features

• $http: add xhr statusText to completeRequest callback (32c09c1d, #2335, #2665, #6713)

v1.2.15 beer-underestimating (2014-03-21)

Bug Fixes

• $$RAFProvider: check for webkitCancelRequestAnimationFrame (e84da228, #6526)
• $$rAF: always fallback to a $timeout incase native rAF isn't supported (ee8e4a94, #6654)
• $compile: support templates with thead and tfoot root elements (ca0ac649, #6289)
• $http:
  • allow sending Blob data using $http (fbb125a3, #5012)
  • don't covert 0 status codes to 404 for non-file protocols (f108a2a9, #6074, #6155)
• $rootScope:
  • ng-repeat can't handle NaN values. #4605 (e48c28fe, #4605)
  • $watchCollection should call listener with oldValue (3dd95727, #2621, #5661, #5688, #6736)
• angular.bootstrap: only allow angular to load once (0d60f8d3, #5863, #5587)
• jqLite: traverse host property for DocumentFragment in inheritedData() (98d825e1, #6637)
• ngAnimate: setting classNameFilter disables animation inside ng-if (a41a2a1d, #6539)
• ngCookie: convert non-string values to string (93d1c95c, #6151, #6220)
• ngTouch: update workaround for desktop Webkit quirk (01a34f51, #6302)
• orderBy: support string predicates containing non-ident characters (10d3e1e4, #6143, #6144)
• select: avoid checking option element selected properties in render (dc149de9, #2448, #5994, #6769)

1.2.14 feisty-cryokinesis (2014-03-01)

Bug Fixes

• $animate:
  • delegate down to addClass/removeClass if setClass is not found (18c41af0, #6463)
  • ensure all comment nodes are removed during a leave animation (f4f1f43d, #6403)
  • only block keyframes if a stagger is set to occur (e71e7b6c, #4225)
  • ensure that animateable directives cancel expired leave animations (e9881991, #5886)
  • ensure all animated elements are taken care of during the closing timeout (99720fb5, #6395)
  • fix for TypeError Cannot call method 'querySelectorAll' in cancelChildAnimations (c914cd99, #6205)
• $http:
  • do not add trailing question (c8e03e34, #6342)
  • send GET requests by default (267b2173, #5985, #6401)
• $parse: reduce false-positives in isElement tests (5fe1f39f, #4805, #5675)
• input: use ValidityState to determine validity (c2d447e3, #4293, #2144, #4857, #5120, #4945, #5500, #5944)
• isElement: reduce false-positives in isElement tests (75515852)
• jqLite:
  • properly toggle multiple classes (4e73c80b, #4467, #6448)
  • make jqLite('