Skip to content

Comments

fix(core): block creation of sensitive URI attributes from ICU messages#67252

Open
dgp1130 wants to merge 1 commit intoangular:19.2.xfrom
dgp1130:sanitize-i18n-v19
Open

fix(core): block creation of sensitive URI attributes from ICU messages#67252
dgp1130 wants to merge 1 commit intoangular:19.2.xfrom
dgp1130:sanitize-i18n-v19

Conversation

@dgp1130
Copy link
Contributor

@dgp1130 dgp1130 commented Feb 24, 2026

Translators are not allowed to write HTML which creates URI attributes. I opted to ban any values going into an attribute at all, to prevent even links to malicious content, rather than just sanitizing URIs.

I also converted this blocklist into an allowlist. Now, we only allowing setting known attributes (while sanitizing URI attributes). This significantly reduces risk of missing a vulnerable attribute and does not require an exhaustive list of all potential attributes.

BREAKING CHANGE: Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

(cherry picked from commit 03da204)

@dgp1130
fix(core): block creation of sensitive URI attributes from ICU messages
3ec07e9 
Translators are not allowed to write HTML which creates URI attributes. I opted to ban any values going into an attribute at all, to prevent even links to malicious content, rather than just sanitizing URIs.

I also converted this blocklist into an allowlist. Now, we only allowing setting known attributes (while sanitizing URI attributes). This significantly reduces risk of missing a vulnerable attribute and does not require an exhaustive list of all potential attributes.

BREAKING CHANGE: Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

(cherry picked from commit 03da204)
@dgp1130 dgp1130 requested a review from alan-agius4 February 24, 2026 17:48
@dgp1130 dgp1130 added action: review The PR is still awaiting reviews from at least one requested reviewer target: lts This PR is targeting a version currently in long-term support labels Feb 24, 2026
@pullapprove pullapprove bot requested a review from AndrewKushnir February 24, 2026 17:48
@angular-robot angular-robot bot added detected: breaking change PR contains a commit with a breaking change area: core Issues related to the framework runtime labels Feb 24, 2026
@ngbot ngbot bot added this to the Backlog milestone Feb 24, 2026
alan-agius4
alan-agius4 approved these changes Feb 24, 2026
View reviewed changes
Copy link
Contributor

@alan-agius4 alan-agius4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alan-agius4 alan-agius4 alan-agius4 approved these changes

@AndrewKushnir AndrewKushnir AndrewKushnir approved these changes

Assignees

No one assigned

Labels

action: review The PR is still awaiting reviews from at least one requested reviewer area: core Issues related to the framework runtime detected: breaking change PR contains a commit with a breaking change target: lts This PR is targeting a version currently in long-term support

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

3 participants

@dgp1130 @alan-agius4 @AndrewKushnir