Skip to content

Security hardening fixes#33377

Open
crisbeto wants to merge 8 commits into
angular:mainfrom
crisbeto:more-security
Open

Security hardening fixes#33377
crisbeto wants to merge 8 commits into
angular:mainfrom
crisbeto:more-security

Conversation

@crisbeto

@crisbeto crisbeto commented Jun 11, 2026

Copy link
Copy Markdown
Member

Includes some fixes for potential security issues. See the individual commits for context.

crisbeto added 8 commits June 11, 2026 09:33
@crisbeto
build: sanitize parsed comments
8811343 
Adds some logic to avoid accidental HTML injection through the Markdown renderer.
@crisbeto
build: avoid command injection in golden script
d55c957 
Avoids command injection in the API golden script by using `exec` instead of interpolating the entire command.
@crisbeto
build: avoid command injection when creating package archives
ed39c02 
Reworks the package archive script to avoid command injection by going through `exec` instead of constructing the command using string concatenation.
@crisbeto
refactor: avoid prototype pollution in keyboard manager
61896f5 
Makes the check whether an input is a modifier more robust against prototype pollution.
@crisbeto
fix(cdk/layout): avoid CSS injection attacks in media matcher
e14d353 
The media matcher needs to create a dummy stylesheet to work around some browser quirks. These changes ensure we don't accidentally inject malicious CSS into the page.
@crisbeto
fix(material/stepper): validate animation durations
0df0042 
The `animationDuration` input is a potential CSS injection attack vector, because we pass the value directly along to the `animation-duration` binding. These changes mitigate the risk by validating the incoming value.
@crisbeto
fix(material/grid-list): always validate colspan
3f6ea51 
We were dropping the `colspan` validation error in production mode which meant that it can go into an infinite loop.
@crisbeto
fix(material/bottom-sheet): ensure animation event comes from container
f15cb64 
Previous we were relying on the animation name to ensure that we only capture the correct animation. These changes harden it by also checking the event's `target`.
@crisbeto crisbeto requested a review from ok7sai June 11, 2026 07:43
@crisbeto crisbeto added target: patch This PR is targeted for the next patch release merge: preserve commits When the PR is merged, a rebase and merge should be performed labels Jun 11, 2026
@pullapprove pullapprove Bot requested a review from josephperrott June 11, 2026 07:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ok7sai ok7sai ok7sai approved these changes

@josephperrott josephperrott Awaiting requested review from josephperrott

Assignees

No one assigned

Labels

area: build & ci Related the build and CI infrastructure of the project area: cdk/layout area: material/bottom-sheet area: material/grid-list area: material/stepper merge: preserve commits When the PR is merged, a rebase and merge should be performed target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@crisbeto @ok7sai