| Age | Commit message (Collapse) | Author |
|---|
|
Ref: 1adf29af13890d61286840177607edd552a9df97
BREAKING CHANGE: img[src] URLs are now sanitized via a separate
whitelist regex instead of sharing the whitelist regex with a[href].
With this change, img[src] URLs may also be data: URI's matching
mime types image/*. mailto: URLs are disallowed (and do not make
sense for img[src] but were allowed under the a[href] whitelist used
before.)
|
|
This reverts commit 15e1a29cd08993b599f390e83a249ec17f753972.
The original commit was fixing two issues - one of them was
preventing attributes that triggered directives that replaced
the compiled node to be merged into the new node.
This change was a breaking change (as seen in the diff of the
tests in this commit) and that's why it's being removed.
A proper fix will follow.
|
|
img[src]="https://foo" has the unfortunate problem that the browser will
actually try retrieving the resource the non FQDN foo. The local DNS
might suffix a domain to this, resolve it, and try to present a
certificate for the https request and prompt the user to pick a
certificate. This commit avoids that by making foo a FQDN. Note that it
might be better to replace foo with example.com (ref
http://tools.ietf.org/html/rfc2606#section-3).
|
|
Closes# 2155
|
|
BREAKING CHANGE: Interpolations inside DOM event handlers are
disallowed. DOM event handlers execute arbitrary Javascript code.
Using an interpolation for such handlers means that the interpolated
value is a JS string that is evaluated. Storing or generating such
strings is error prone and likely leads to an XSS if you're not
super careful. On the other hand, ng-click and such event handlers
evaluate Angular expressions that are a lot safer (e.g. No direct
access to global objects - only scope), cleaner and harder to
exploit.
To migrate the code follow the example below:
Before:
JS: scope.foo = 'alert(1)';
HTML: <div onclick="{{foo}}">
After:
JS: scope.foo = function() { alert(1); }
HTML: <div ng-click="foo()">
|
|
Ref: 9532234bf1c408af9a6fd2c4743fdb585b920531
BREAKING CHANGE: img[src] URLs are now sanitized using the same whitelist
as a[href] URLs. The most obvious impact is if you were using data:
URIs. data: URIs will be whitelisted for img[src] in a future
commit.
|
|
|
|
|
|
By appending directive-start and directive-end to a
directive it is now possible to have the directive
act on a group of elements.
It is now possible to iterate over multiple elements like so:
<table>
<tr ng-repeat-start="item in list">I get repeated</tr>
<tr ng-repeat-end>I also get repeated</tr>
</table>
|
|
- add toThrowNg matcher
|
|
The fail() function in Jasmine expects an Error object parameter.
Also, there is no global alias for fail() so it must be accessed using
`this.fail(new Error())`.
|
|
A directive can now set/update/remove attribute values even those containing
interpolation during the compile phase and have the new value be picked up
during the compilation.
For example in template:
<div replace-directive some-attr-or-directive="{{originalInterpolationValue}}"></div>
the replace-directive can now replace the value of some-attr-or-directive during compilation
which produces this intermitent template:
<div replace-directive some-attr-or-directive="{{replacedInterpolationValue}}"></div>
or even
<div replace-directive some-attr-or-directive="replacedStaticValue"></div>
as well as
<div replace-directive some-attr-or-directive></div>
|
|
`template` and `templateUrl` properties can now be optionally defined
via a function. This allows templates to be dynamically generated on
the fly.
|
|
Sometimes is not desirable to use interpolation on attributes because
the user agent parses them before the interpolation takes place. I.e:
<svg>
<circle cx="{{cx}}" cy="{{cy}}" r="{{r}}"></circle>
</svg>
The snippet throws three browser errors, one for each attribute.
For some attributes, AngularJS fixes that behaviour introducing special
directives like ng-href or ng-src.
This commit is a more general solution that allows prefixing any
attribute with "ng-attr-", "ng:attr:" or "ng_attr_" so it will
be set only when the binding is done. The prefix is then removed.
Example usage:
<svg>
<circle ng-attr-cx="{{cx}}" ng-attr-cy="{{cy}}" ng:attr-r="{{r}}"></circle>
</svg>
Closes #1050
Closes #1925
|
|
Passing DOMNode#childNodes to compileNodes when compiling remote
template, so that directives with replace:true can be compiled.
The previous version used jqLite#contents which returned collection
that was not updated during the compilation.
Closes #1859
|
|
I had to also fix some tests as they started failing on IE8.
We should figure out why these extra attributes are set in IE8,
but I'm too tired of IE to worry about it now. Since I'm
not introducing this issue just making it visible, I'm going
to commit this as is.
|
|
If you bind using '=' to a non-existant parent property, the compiler
will throw a NON_ASSIGNABLE_MODEL_EXPRESSION exception, which is right
because the model doesn't exist.
This enhancement allow to specify that a binding is optional so it
won't complain if the parent property is not defined. In order to mantain
backward compability, the new behaviour must be specified using '=?' instead
of '='. The local property will be undefined is these cases.
Closes #909
Closes #1435
|
|
|
|
see the test for more details
|
|
|
|
The change to prevent <span> elements being wrapped around empty text nodes caused these empty text nodes to have scopes and controllers attached, through jqLite.data() calls, which led to memory leaks and errors in IE8.
Now we exclude all but document nodes and elements from having jqLite.data() set both in the compiler and in ng-view.
Fixes: #1968 and #1876
|
|
|
|
Do a one-off interpolation of @ locals to ensure that the link fn receives attributes that are already interpolated.
|
|
Directives was observing different instances of Attributes than the one
that interpolation was registered with because we failed to realize
that the compile node and link node were the same (one of them
was a wrapper rather than raw node)
Closes #1941
|
|
test($compile): add test for exposing transclude and isolate scope info to batarang
|
|
Closes #1059
|
|
Closes #1740
|
|
Support modifying the DOM structure in the post link function of a directive
by creating a defensive copy of the node list, as opposed to a live DOM list.
This is useful for directives to actually replace their entire DOM fragment,
e.g. with the HTML fragment generated by a 3rd party component (Closure, Bootstrap ...).
Fix the indentation of the compileNodes function (was one too little).
|
|
This fixes the issue that caused two attr interpolation observers
to be registered for the same attribute as a result of isolate
scope definition with attr (@) property for this attribute.
Duplicate observers would then fight with each other updating the
model.
The issue occured only when this directive was used in a repeater
because that's when we clone the template node which caused the
two observers to point to two different sets of $attr instances.
Closes #1166, #836
|
|
This was really corner case:
Watcher needs to return changed value, to notify that model might have changed and one more $digest cycle needs to be performed.
The watcher, that takes care of reference binding into an isolate scope ("="), did not return changed value, if the change was from the isolate scope to the parent.
If any other watcher returned change, it worked fine, as this change caused re-digest.
Closes #1272
|
|
Since developers are allowed to customize start/end interpolation
strings, but third-party directive creators don't know about these
customizations, we should standardize on {{ }} in templates of
reusable (third-party) directives. During the compilation, these
templates are then denormalized to use whatever the custom
start/end symbol is, effectively translating the template into the
syntax of the runtime environment.
This addresses an issue raised at http://goo.gl/e8VPV
Existing code should not be affected by this change since project
that do use custom interpolation markers are not expected to use
{{ }} in existing directive templates.
|
|
|
|
Merging of interpolated class attribute from directive template with replace:true works
Closes #1006
|
|
Changed the isolate scope binding options to:
- @attr - attribute binding (including interpolation)
- =model - by-directional model binding
- &expr - expression execution binding
This change simplifies the terminology as well as
number of choices available to the developer. It
also supports local name aliasing from the parent.
BREAKING CHANGE: isolate scope bindings definition has changed and
the inject option for the directive controller injection was removed.
To migrate the code follow the example below:
Before:
scope: {
myAttr: 'attribute',
myBind: 'bind',
myExpression: 'expression',
myEval: 'evaluate',
myAccessor: 'accessor'
}
After:
scope: {
myAttr: '@',
myBind: '@',
myExpression: '&',
// myEval - usually not useful, but in cases where the expression is assignable, you can use '='
myAccessor: '=' // in directive's template change myAccessor() to myAccessor
}
The removed `inject` wasn't generaly useful for directives so there should be no code using it.
|
|
some browsers (IE) always provide the nodeName as upper-case
|
|
attr.$observe used to call function only if there was interpolation
on that attribute. We now call the observation function all the time
but we only save the reference to it if interpolation is present.
|
|
|
|
|
|
Also add the same error checking for sync templates.
Closes #910
|
|
|
|
replace=true
We forgot to reattach the scope to the replacement element. This affected only
directives that had templateUrl and replace:true properties.
Reported on the mailing list:
https://groups.google.com/forum/?fromgroups#!topic/angular/zwjLr1msS2Y
http://jsfiddle.net/lukebayes/g9Sh9/
|
|
This stuff was never documented and is an accidental leftover from the time
when the compiler was rewritten.
If any code depends on this, it should be rewritten to use ngTransclude directive
intead.
|
|
Closes #876
|
|
|
