Skip to content

fix(cdk/private): guard createPolicy against DOM clobbering#33410

Merged
crisbeto merged 1 commit into
angular:mainfrom
arturovt:fix/multiple_vulners
Jul 8, 2026
Merged

fix(cdk/private): guard createPolicy against DOM clobbering#33410
crisbeto merged 1 commit into
angular:mainfrom
arturovt:fix/multiple_vulners

Conversation

@arturovt

@arturovt arturovt commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Wraps trustedTypes.createPolicy in a try/catch to handle two failure
cases: the policy name already being registered (e.g. in a micro-frontend
setup), and window.trustedTypes being DOM-clobbered by an HTML element
before Angular bootstraps. In both cases the policy falls back to null,
and trustedHTMLFromString continues to work via plain strings while
sanitization in _setInnerHtml still runs.

@pullapprove pullapprove Bot requested a review from devversion June 17, 2026 10:13
Comment thread src/cdk/private/trusted-types.ts Outdated
Comment thread src/cdk/overlay/position/flexible-connected-position-strategy.ts
Comment thread src/cdk/drag-drop/dom/styling.ts Outdated
@arturovt arturovt force-pushed the fix/multiple_vulners branch from 39d7c2c to 383bb1a Compare June 17, 2026 17:27
@arturovt arturovt changed the title fix(multiple): harden extendStyles and trusted-types against prototype pollution and DOM clobbering fix(cdk/private): guard createPolicy against DOM clobbering Jun 17, 2026
Comment thread src/cdk/private/trusted-types.ts Outdated
policy = ttWindow.trustedTypes.createPolicy('angular#components', {
createHTML: (s: string) => s,
});
} catch {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should console.error here so we know it's failing?

Wraps trustedTypes.createPolicy in a try/catch to handle two failure
cases: the policy name already being registered (e.g. in a micro-frontend
setup), and window.trustedTypes being DOM-clobbered by an HTML element
before Angular bootstraps. In both cases the policy falls back to null,
and trustedHTMLFromString continues to work via plain strings while
sanitization in _setInnerHtml still runs.
@arturovt arturovt force-pushed the fix/multiple_vulners branch from 383bb1a to 8e592ed Compare June 18, 2026 20:03
@arturovt arturovt requested a review from crisbeto June 18, 2026 20:03
@crisbeto crisbeto added action: merge The PR is ready for merge by the caretaker target: patch This PR is targeted for the next patch release labels Jul 8, 2026
@crisbeto crisbeto merged commit c069cab into angular:main Jul 8, 2026
31 of 34 checks passed
@crisbeto

crisbeto commented Jul 8, 2026

Copy link
Copy Markdown
Member

This PR was merged into the repository. The changes were merged into the following branches:

crisbeto pushed a commit that referenced this pull request Jul 8, 2026
Wraps trustedTypes.createPolicy in a try/catch to handle two failure
cases: the policy name already being registered (e.g. in a micro-frontend
setup), and window.trustedTypes being DOM-clobbered by an HTML element
before Angular bootstraps. In both cases the policy falls back to null,
and trustedHTMLFromString continues to work via plain strings while
sanitization in _setInnerHtml still runs.

(cherry picked from commit c069cab)
@arturovt arturovt deleted the fix/multiple_vulners branch July 8, 2026 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

action: merge The PR is ready for merge by the caretaker target: patch This PR is targeted for the next patch release

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants