| Age | Commit message (Collapse) | Author |
|---|
|
|
|
When a parsed function call returns a promise, the evaluated value
is the resolved value of the promise rather than the promise object.
Closes #3503
|
|
|
|
This fixes an inconsistency where you can't call the setter function
when the expression resolves to a top level field name on a promise.
Setting a field on an unresolved promise will throw an exception. (This
shouldn't really happen in your template/js code and points to a
programming error.)
Closes #1827
|
|
|
|
Enhances sandboxing of Angular Expressions to prevent attacks via:
{}.toString.constructor(alert("evil JS code"))
|
|
|
|
|
|
- add toThrowNg matcher
|
|
Add '?' token to lexer, add ternary rule to parser at
(hopefully) proper precedence and associativity (based
on https://developer.mozilla.org/en-US/docs/JavaScript/Reference/Operators/Operator_Precedence).
Since (exp1 && exp2 || exp3) is supported by the parser,
and (exp1 ? exp2 : exp3) works the same way, it seems
reasonable to add this minor form of control to templates
(see #719).
|
|
|
|
Fix a context duplication and invocation to a previous context when
doing an access modifier function on the result of a function
Currently, when doing `foo().bar()`, `foo` is called twice, the first
time to get the context and the second one for `bar` to get the
underlying object. Then the call to `bar` is called using the second
instance as self
This is equivalent to doing:
```
var instance1 = foo();
var instance2 = foo();
instance2.bar.apply(instance1);
```
Closes #2496
|
|
|
|
* `literal` is set to true if the expression's top-level is a JavaScript
literal (number, string, boolean, null/undefined, array, object), even
if it contains non-literals inside.
* `constant` is set to true if the expression is known to be made
entirely of constant values, i.e., evaluating it will always yield the
same result.
A consequence is that a JSON expression is guaranteed to be both literal
and constant.
|
|
|
|
Allows the parser to parse strict equality and inequality
in angular expressions.
Closes #908
|
|
Closes #988
|
|
we now have two types of namespaces:
- true namespace: angular.* - used for all global apis
- virtual namespace: ng.*, ngMock.*, ... - used for all DI modules
the virual namespaces have services under the second namespace level (e.g. ng.)
and filters and directives prefixed with filter: and directive: respectively
(e.g. ng.filter:orderBy, ng.directive:ngRepeat)
this simplifies urls and makes them a lot shorter while still avoiding name collisions
|
|
|
|
|
|
e.g. zero, false, empty string
- fix tests to be executed with csp true
- fix cps (when more than 5 parts)
|
|
CSP (content security policy) forbids apps to use eval or
Function(string) generated functions (among other things). For us to be
compatible, we just need to implement the "getterFn" in $parse without
violating any of these restrictions.
We currently use Function(string) generated functions as a speed
optimization. With this change, it will be possible to opt into the CSP
compatible mode using the ngCsp directive. When this mode is on Angular
will evaluate all expressions up to 30% slower than in non-CSP mode, but
no security violations will be raised.
In order to use this feature put ngCsp directive on the root element of
the application. For example:
<!doctype html>
<html ng-app ng-csp>
...
...
</html>
Closes #893
|
|
|
|
This breaks IE7 for which you can use polyfill:
https://github.com/douglascrockford/JSON-js
<!--[if lt IE 8]>
<script src="json2.min.js"></script>
<![endif]-->
or
http://bestiejs.github.com/json3/
<!--[if lt IE 8]>
<script src="json3.min.js"></script>
<![endif]-->
|
|
|
