The following CVEs has been mitigated. In order those mitigations are working, there are POC examples to reproduce the problems in /cve of this repository.
To reproduce the attack, change the according index.html to point to the angular.js (1.8.3) version in node_modules (npm install first).
To test the mitigation build this repo (yarn grunt package (node 12.22.12)) and change the according index.html to point to /build/angular.js.
In order to reproduce the problem see /cve/CVE-2024-8372/ (run with angular from node_modules).
Some specially-crafted ngSrcset, ngAttrSrcset and ngPropSrcset values to bypass the image source sanitization restrictions and show images that should be blocked. This is mitigated by blocking any comma seperated multi srcset urls (all urls containing (,)), that do not start with (data:).
In order to reproduce the problem see /cve/CVE-2024-8373/ (run with angular from node_modules).
Setting a
In order to reproduce the problem see /cve/CVE-2024-21490/ (run with angular from node_modules).
This was mitigated by checking the length (max 10000 characters) of the RegExp pattern when one is found in sanitizeSrcset. An error is thrown if there are to many characters. See /src/ng/compile.js#2099.
In order to reproduce the problem see /cve/CVE-2022-25844/ (run with angular from node_modules).
This was mitigated by https://github.com/continu/angular.js by doing a manual replacement of the positive quantifiers. See https://github.com/angular/angular.js/compare/master...continu:angular.js:master in /src/ng/filter/filters.
In order to reproduce the problem see /cve/CVE-2023-26116/ (run with angular from node_modules).
This was mitigated by checking the length (max 10000 characters) of the RegExp pattern when one is found in angular.copy. An error is thrown if there are to many characters. See /src/Angular.js#1004.
In order to reproduce the problem see /cve/CVE-2023-26117/ (run with angular from node_modules).
This was mitigated by checking the length (max 10000 characters) of the url in setUrlParams. An error is thrown if there are to many characters. See /src/ngResource/resource.js#612.
In order to reproduce the problem see /cve/CVE-2023-26118/ (run with angular from node_modules).
This was mitigated by checking the length (max 10000 characters) of the url in the input. The url is invalid if there are to many characters. See /src/ng/directive/input.js#1945.
=========
AngularJS lets you write client-side web applications as if you had a smarter browser. It lets you use good old HTML (or HAML, Jade/Pug and friends!) as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. It automatically synchronizes data from your UI (view) with your JavaScript objects (model) through 2-way data binding. To help you structure your application better and make it easy to test, AngularJS teaches the browser how to do dependency injection and inversion of control.
It also helps with server-side communication, taming async callbacks with promises and deferred objects, and it makes client-side navigation and deep linking with hashbang urls or HTML5 pushState a piece of cake. Best of all? It makes development fun!
AngularJS support has officially ended as of January 2022. See what ending support means and read the end of life announcement.
Visit angular.io for the actively supported Angular.
- Web site: https://angularjs.org
- Tutorial: https://docs.angularjs.org/tutorial
- API Docs: https://docs.angularjs.org/api
- Developer Guide: https://docs.angularjs.org/guide
- Contribution guidelines: CONTRIBUTING.md
- Core Development: DEVELOPERS.md
- Dashboard: https://dashboard.angularjs.org
Go to https://docs.angularjs.org
We've set up a separate document for our contribution guidelines.
We've set up a separate document for developers.
AngularJS is the next generation framework where each component is designed to work with every other component in an interconnected way like a well-oiled machine. AngularJS is JavaScript MVC made easy and done right. (Well it is not really MVC, read on, to understand what this means.)
MVC, short for Model-View-Controller, is a design pattern, i.e. how the code should be organized and how the different parts of an application separated for proper readability and debugging. Model is the data and the database. View is the user interface and what the user sees. Controller is the main link between Model and View. These are the three pillars of major programming frameworks present on the market today. On the other hand AngularJS works on MV*, short for Model-View-Whatever. The Whatever is AngularJS's way of telling that you may create any kind of linking between the Model and the View here.
Unlike other frameworks in any programming language, where MVC, the three separate components, each one has to be written and then connected by the programmer, AngularJS helps the programmer by asking him/her to just create these and everything else will be taken care of by AngularJS.
AngularJS uses HTML to define the user's interface. AngularJS also enables the programmer to write new HTML tags (AngularJS Directives) and increase the readability and understandability of the HTML code. Directives are AngularJS’s way of bringing additional functionality to HTML. Directives achieve this by enabling us to invent our own HTML elements. This also helps in making the code DRY (Don't Repeat Yourself), which means once created, a new directive can be used anywhere within the application.
HTML is also used to determine the wiring of the app. Special attributes in the HTML determine where to load the app, which components or controllers to use for each element, etc. We specify "what" gets loaded, but not "how". This declarative approach greatly simplifies app development in a sort of WYSIWYG way. Rather than spending time on how the program flows and orchestrating the various moving parts, we simply define what we want and AngularJS will take care of the dependencies.
Data and Data Models in AngularJS are plain JavaScript objects and one can add and change properties directly on it and loop over objects and arrays at will.
One of AngularJS's strongest features. Two-way Data Binding means that if something changes in the
Model, the change gets reflected in the View instantaneously, and the same happens the other way
around. This is also referred to as Reactive Programming, i.e. suppose a = b + c
is being
programmed and after this, if the value of b
and/or c
is changed then the value of a
will be
automatically updated to reflect the change. AngularJS uses its "scopes" as a glue between the Model
and View and makes these updates in one available for the other.
Everything in AngularJS is created to enable the programmer to end up writing less code that is easily maintainable and readable by any other new person on the team. Believe it or not, one can write a complete working two-way data binded application in less than 10 lines of code. Try and see for yourself!
AngularJS has Dependency Injection, i.e. it takes care of providing all the necessary dependencies to its controllers and services whenever required. This helps in making the AngularJS code ready for unit testing by making use of mock dependencies created and injected. This makes AngularJS more modular and easily testable thus in turn helping a team create more robust applications.