Skip to content

fix(platform-server): throw on suspicious URLs and restrict protocol-relative URLs (20.3.x)#69043

Merged
pkozlowski-opensource merged 2 commits into
angular:20.3.xfrom
alan-agius4:backport-68973-69018-20.3.x
Jun 1, 2026
Merged

fix(platform-server): throw on suspicious URLs and restrict protocol-relative URLs (20.3.x)#69043
pkozlowski-opensource merged 2 commits into
angular:20.3.xfrom
alan-agius4:backport-68973-69018-20.3.x

Conversation

@alan-agius4
Copy link
Copy Markdown
Contributor

@alan-agius4 alan-agius4 commented Jun 1, 2026

@alan-agius4
refactor(platform-server): extract parseUrl regex and add comments fo 1�7
56f3420 
…r URL parsing behavior

Extracts the regular expression for matching malformed absolute URLs to a module-scoped constant in url.ts.

Additionally, adds comprehensive inline documentation to clarify:
- The path normalization behavior of LEADING_SLASHES_REGEX which collapses consecutive slashes and backslashes.
- The rationale for using 'http://localhost' as the fallback base URL for virtual document initialization in server.ts.
@alan-agius4
fix(platform-server): throw on suspicious URLs and restrict protocol- 1�7
7b092b0 
…relative URLs

Backports the security fixes from:

- angular#68973

- angular#69018
@pullapprove pullapprove Bot requested a review from AndrewKushnir June 1, 2026 07:34
@angular-robot angular-robot Bot added the area: server Issues related to server-side rendering label Jun 1, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 1, 2026
@alan-agius4 alan-agius4 requested review from JeanMeche and removed request for AndrewKushnir June 1, 2026 07:39
@alan-agius4 alan-agius4 added target: lts This PR is targeting a version currently in long-term support action: review The PR is still awaiting reviews from at least one requested reviewer labels Jun 1, 2026
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Jun 1, 2026
@pkozlowski-opensource pkozlowski-opensource merged commit 6ca433e into angular:20.3.x Jun 1, 2026
24 checks passed
@pkozlowski-opensource
Copy link
Copy Markdown
Member

pkozlowski-opensource commented Jun 1, 2026

This PR was merged into the repository. The changes were merged into the following branches:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche JeanMeche approved these changes

@AndrewKushnir AndrewKushnir AndrewKushnir approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: server Issues related to server-side rendering target: lts This PR is targeting a version currently in long-term support

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

4 participants

@alan-agius4 @pkozlowski-opensource @JeanMeche @AndrewKushnir