fix(compiler): disallow i18n event attributes#68821
Open
Hexix23 wants to merge 1 commit into
Open
Conversation
alan-agius4
approved these changes
May 20, 2026
Contributor
alan-agius4
left a comment
There was a problem hiding this comment.
LGTM
Reviewed-for: fw-security
f980879 to
ca6e783
Compare
alan-agius4
requested changes
May 20, 2026
Contributor
alan-agius4
left a comment
There was a problem hiding this comment.
Avoiding DOM schema validation here; a simple check for the on prefix is sufficient
Reject translated event-handler attributes so localization cannot bypass Angular event-attribute validation.
ca6e783 to
d366587
Compare
Hexix23
commented
May 20, 2026
Author
Hexix23
left a comment
There was a problem hiding this comment.
Thanks Alan, updated to avoid DOM schema validation here and keep the direct on prefix check in the i18n metadata gate.
alan-agius4
approved these changes
May 20, 2026
Contributor
alan-agius4
left a comment
There was a problem hiding this comment.
LGTM
Reviewed-for: fw-security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
Angular disallows binding to event-handler attributes such as
onclickandonerrorthroughvalidateAttribute()/validateProperty(), but the i18n metadata path still allowed the same attribute names to be marked for translation withi18n-on*.This creates an XSS sink in the i18n pipeline: a lower-trust translation file could replace a benign static handler such as
onerror="void 0"with executable JavaScript in the localized build.Affected versions / verification
I reproduced the vulnerable behavior in localized AOT builds against:
21.2.1121.2.1322.0.0-rc.0The #68591 hardening correctly covers schema-driven i18n security contexts such as URL, ResourceURL, iframe policy attributes, and SVG animation attributes. This event-handler case remained separate because
on*attributes are rejected by Angular's event-attribute validation path rather than bySECURITY_SCHEMA.What is the new behavior?
i18n-on*attributes are rejected during i18n metadata collection with the same security error shape used for other disallowed translated attributes.This prevents translated static attributes from bypassing Angular's event-attribute validation invariant.
The implementation intentionally performs the event-attribute check directly in the i18n metadata gate, alongside the existing Trusted Types sink check, so this path rejects translated executable event handlers before they are collected as translatable attribute metadata.
Does this PR introduce a breaking change?
Applications that intentionally translate static event-handler attributes such as
i18n-onerrorwill now fail compilation. This is intentional because translated event-handler attributes are executable JavaScript sinks.Other information
The change is intentionally limited to translated event-handler attributes. Normal non-security-sensitive translated attributes continue to work, and the existing schema-driven i18n sanitizer/validator paths continue to handle URL, ResourceURL, iframe policy, and SVG animation attributes.
Fix validation run locally:
bazelisk test //packages/core/test:testbazelisk test //packages/compiler/test:testpnpm ng-dev commit-message validate-range