Security fixes - prevent possible XSS due to regex-based HTML replace…

[PPInfy]

…ment

Updated To have #17028

AngularJS is in LTS mode

We are no longer accepting changes that are not critical bug fixes into this project.
See https://blog.angular.io/stable-angularjs-and-long-term-support-7e077635ee9c for more detail.

Does this PR fix a regression since 1.7.0, a security flaw, or a problem caused by a new browser version?
Yes, This fixes CVE-2020-7676 (Medium Severity issue).

What is the current behavior? (You can also link to an open issue here)
https://nvd.nist.gov/vuln/detail/CVE-2020-7676

What is the new behavior (if this is a feature change)?
Security fix will ensure the behavior is fixed.

Does this PR introduce a breaking change?
No.

Please check if the PR fulfills these requirements

• The commit message follows our guidelines
• Fix/Feature: Docs have been added/updated
• Fix/Feature: Tests have been added; existing tests pass

Other information:

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[gkalpak]

Thx for submitting a PR, @PPInfy. However, as mentioned in the Version status support page, version 1.6.x is no longer maintained and will not receive further updates (of any kind).

[PPInfy]

@gkalpak - Why was this fix allowed then e242e9b ? Isnt security fixes after 2018 wont be allowed there. I can understand there will be no release but cant a security fix be put on the branch so that others dont have take the exercise to merge it or worse take breaking changes of 1.7 and 1.8 for fixing a security flaw?

[gkalpak]

e242e9b was merged for internal reasons (and as you said, it was never released).

Reviewing and merging PRs has a maintenance cost (which includes keeping CI infrastructure and devDependencies updated, etc.) and there are no resources for handling that for all branches. (If we did that for 1.6.x, why not for 1.7.x? What about 1.5.x? You get the point 😃)

I don't think there are many people who consume AngularJS from the GitHub repo, so merging it without doing a release would offer little benefit anyway. If you are consuming AngularJS from a GitHub repo, it is very easy to fork angular/angular.js and make the changes there (and share that with others that might want to consume it from a GitHub repo).

I understand this is not ideal (having to re-apply the fixes on every repo), but (esp. given the very small number of people affected), I think this is an acceptable downside for those choosing to use an old, unmtaintained version (v1.6.x) and build AngularJS from the sources 🤷‍♂️