Skip to content

fix(cdk/private): guard createPolicy against DOM clobbering#33410

Open
arturovt wants to merge 1 commit into
angular:mainfrom
arturovt:fix/multiple_vulners
Open

fix(cdk/private): guard createPolicy against DOM clobbering#33410
arturovt wants to merge 1 commit into
angular:mainfrom
arturovt:fix/multiple_vulners

Conversation

@arturovt

@arturovt arturovt commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Wraps trustedTypes.createPolicy in a try/catch to handle two failure
cases: the policy name already being registered (e.g. in a micro-frontend
setup), and window.trustedTypes being DOM-clobbered by an HTML element
before Angular bootstraps. In both cases the policy falls back to null,
and trustedHTMLFromString continues to work via plain strings while
sanitization in _setInnerHtml still runs.

@pullapprove pullapprove Bot requested a review from devversion June 17, 2026 10:13
crisbeto
crisbeto reviewed Jun 17, 2026
View reviewed changes
Comment thread src/cdk/private/trusted-types.ts Outdated
Comment thread src/cdk/overlay/position/flexible-connected-position-strategy.ts
Comment thread src/cdk/drag-drop/dom/styling.ts Outdated
@arturovt
fix(cdk/private): guard createPolicy against DOM clobbering
383bb1a 
Wraps trustedTypes.createPolicy in a try/catch to handle two failure
cases: the policy name already being registered (e.g. in a micro-frontend
setup), and window.trustedTypes being DOM-clobbered by an HTML element
before Angular bootstraps. In both cases the policy falls back to null,
and trustedHTMLFromString continues to work via plain strings while
sanitization in _setInnerHtml still runs.
@arturovt arturovt force-pushed the fix/multiple_vulners branch from 39d7c2c to 383bb1a Compare June 17, 2026 17:27
@arturovt arturovt changed the title fix(multiple): harden extendStyles and trusted-types against prototype pollution and DOM clobbering fix(cdk/private): guard createPolicy against DOM clobbering Jun 17, 2026
crisbeto
crisbeto reviewed Jun 17, 2026
View reviewed changes
Comment thread src/cdk/private/trusted-types.ts
policy = ttWindow.trustedTypes.createPolicy('angular#components', {
createHTML: (s: string) => s,
});
} catch {

@crisbeto crisbeto Jun 17, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should console.error here so we know it's failing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crisbeto crisbeto crisbeto left review comments

@devversion devversion Awaiting requested review from devversion

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arturovt @crisbeto