angular.js/docs/content/error, branch v1.2.0 feat($parse): secure expressions by hiding "private" properties 2013-10-31T00:01:51+00:00 Chirayu Krishnappa 2013-10-18T02:44:36+00:00 3d6a89e8888b14ae5cb5640464e12b7811853c7e BREAKING CHANGE: This commit introduces the notion of "private" properties (properties whose names begin and/or end with an underscore) on the scope chain. These properties will not be available to Angular expressions (i.e. {{ }} interpolation in templates and strings passed to `$parse`) They are freely available to JavaScript code (as before). Motivation ---------- Angular expressions execute in a limited context.  They do not have direct access to the global scope, Window, Document or the Function constructor.  However, they have direct access to names/properties on the scope chain.  It has been a long standing best practice to keep sensitive APIs outside of the scope chain (in a closure or your controller.)  That's easier said that done for two reasons: (1) JavaScript does not have a notion of private properties so if you need someone on the scope chain for JavaScript use, you also expose it to Angular expressions, and (2) the new "controller as" syntax that's now in increased usage exposes the entire controller on the scope chain greatly increaing the exposed surface.  Though Angular expressions are written and controlled by the developer, they (1) typically deal with user input and (2) don't get the kind of test coverage that JavaScript code would.  This commit provides a way, via a naming convention, to allow publishing/restricting properties from controllers/scopes to Angular expressions enabling one to only expose those properties that are actually needed by the expressions. 
BREAKING CHANGE:
This commit introduces the notion of "private" properties (properties
whose names begin and/or end with an underscore) on the scope chain.
These properties will not be available to Angular expressions (i.e. {{
}} interpolation in templates and strings passed to `$parse`)  They are
freely available to JavaScript code (as before).

Motivation
----------
Angular expressions execute in a limited context.  They do not have
direct access to the global scope, Window, Document or the Function
constructor.  However, they have direct access to names/properties on
the scope chain.  It has been a long standing best practice to keep
sensitive APIs outside of the scope chain (in a closure or your
controller.)  That's easier said that done for two reasons: (1)
JavaScript does not have a notion of private properties so if you need
someone on the scope chain for JavaScript use, you also expose it to
Angular expressions, and (2) the new "controller as" syntax that's now
in increased usage exposes the entire controller on the scope chain
greatly increaing the exposed surface.  Though Angular expressions are
written and controlled by the developer, they (1) typically deal with
user input and (2) don't get the kind of test coverage that JavaScript
code would.  This commit provides a way, via a naming convention, to
allow publishing/restricting properties from controllers/scopes to
Angular expressions enabling one to only expose those properties that
are actually needed by the expressions.
docs(error/compile/tplrt): split long lines 2013-10-26T19:14:08+00:00 Pete Bacon Darwin 2013-10-26T19:13:27+00:00 0bbb9e6258bd60a2676a475acc92b13b2c3425dc 






docs(error/compile/tplrt): clarify and grammar
2013-10-26T19:14:08+00:00

gdennie

2013-10-19T13:02:33+00:00

81d5bc860dde93be0f6be3193c23458a2ae9ff5c

Closes #4503





Closes #4503







Clarification stemming from my own issues
2013-10-26T19:09:09+00:00

gdennie

2013-10-18T00:06:48+00:00

9f2c8e935a28fce0e898a2739c389e3f8cbc08a5

It is instructive to give literal examples that reflect common (my) experience of the problem. :)





It is instructive to give literal examples that reflect common (my) experience of the problem. :)







docs(error/multidir): improve the sentence fluency
2013-10-24T21:21:27+00:00

CloudDueling.com

2013-10-16T01:06:00+00:00

db9c6a3528e3307b1e320fd15b1341eb9b39e1b7

Closes #4449





Closes #4449







docs(modulerr): fix typo
2013-10-24T19:51:32+00:00

G.H. Naylor

2013-10-15T00:29:42+00:00

d3930fdfd9e8ef6a53432eafbcbf88f592e5d406

Closes #4418





Closes #4418







docs(guide/directive,guide/compiler,): drastically improve
2013-10-23T21:17:27+00:00

Brian Ford

2013-10-23T21:04:47+00:00

e69c2872939cda30f13a1a8390bbc61662c12d9a












docs: correct broken links
2013-10-18T22:35:41+00:00

Vojta Jina

2013-10-18T02:25:08+00:00

14438058da39c3e523f420549074934ca5881b09

This also contains some whitespace corrections by my editor.





This also contains some whitespace corrections by my editor.







docs($rootScope): better document infinite digest and ttl
2013-10-15T18:28:47+00:00

Igor Minar

2013-10-15T18:28:47+00:00

dba566a96d3c660e12249dcb6445dad19854da97












fix(*): protect calls to hasOwnProperty in public API
2013-10-07T16:01:13+00:00

Peter Bacon Darwin

2013-10-05T09:49:09+00:00

7a586e5c19f3d1ecc3fefef084ce992072ee7f60

Objects received from outside AngularJS may have had their `hasOwnProperty`
method overridden with something else. In cases where we can do this without
incurring a performance penalty we call directly on Object.prototype.hasOwnProperty
to ensure that we use the correct method.

Also, we have some internal hash objects, where the keys for the map are provided
from outside AngularJS. In such cases we either prevent `hasOwnProperty` from
being used as a key or provide some other way of preventing our objects from
having their `hasOwnProperty` overridden.

BREAKING CHANGE: Inputs with name equal to "hasOwnProperty" are not allowed inside
form or ngForm directives.

Before, inputs whose name was "hasOwnProperty" were quietly ignored and not added
to the scope.  Now a badname exception is thrown.

Using "hasOwnProperty" for an input name would be very unusual and bad practice.
Either do not include such an input in a `form` or `ngForm` directive or change
the name of the input.

Closes #3331




Objects received from outside AngularJS may have had their `hasOwnProperty`
method overridden with something else. In cases where we can do this without
incurring a performance penalty we call directly on Object.prototype.hasOwnProperty
to ensure that we use the correct method.

Also, we have some internal hash objects, where the keys for the map are provided
from outside AngularJS. In such cases we either prevent `hasOwnProperty` from
being used as a key or provide some other way of preventing our objects from
having their `hasOwnProperty` overridden.

BREAKING CHANGE: Inputs with name equal to "hasOwnProperty" are not allowed inside
form or ngForm directives.

Before, inputs whose name was "hasOwnProperty" were quietly ignored and not added
to the scope.  Now a badname exception is thrown.

Using "hasOwnProperty" for an input name would be very unusual and bad practice.
Either do not include such an input in a `form` or `ngForm` directive or change
the name of the input.

Closes #3331