feat: $sce Strict Contextual Escaping (spec 012)#28
Merged
Conversation
Co-Authored-By: Claude <noreply@anthropic.com>
Ships the full $sce surface in two layered forms, matching the ESM-first architecture convention (architecture.md §1) and the spec-011 precedent: - ESM primary: createSce / sce, createSceDelegate / sceDelegate, with trustAs* / getTrusted* / parseAs* shortcuts across the five public contexts (html, url, resourceUrl, js, css) plus SCE_CONTEXTS and the TrustedValue class hierarchy (TrustedResourceUrl extends TrustedUrl for AngularJS subtype parity). - DI thin shims: $SceProvider and $SceDelegateProvider registered on the ng module. $sceProvider.enabled(value?) toggles strict mode at config time (default ON); $sceDelegateProvider.trustedResourceUrlList and .bannedResourceUrlList configure the resource-URL matcher with 'self', string wildcards (** / *), and RegExp entries. Block-list wins over allow-list. - $interpolate integration: trustedContext narrowed from string to SceContext, single-binding rule enforced at compile time when strict mode is active, and render-time trust unwrapping via $sce.getTrusted. Removes the TODO(spec-\$sce) marker left by spec 011. - Public surface: ./sce subpath added to package.json exports and rollup.config.mjs; @sce/* path alias added to tsconfig, vitest, rollup. Root src/index.ts re-exports the ESM surface. - Tests: +221 tests (1073 → 1294) across 8 new test files covering ESM path, delegate path, provider path, DI integration, interpolate integration, resource-URL matcher, and 11 ported AngularJS parity tests from upstream sceSpecs.js. - Docs: CLAUDE.md gains ./interpolate and ./sce module rows, two non-obvious invariants (frozen strict mode, TrustedResourceUrl subtype rule), and new "where to look" entries. All acceptance criteria in functional-spec.md verified. Final gate: pnpm lint / format:check / typecheck / test / build all green. Co-Authored-By: Claude <noreply@anthropic.com>
…ate tests Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ships spec 012 — Strict Contextual Escaping (
$sce). Removes theTODO(spec-$sce)marker left by spec 011 and delivers the full AngularJS 1.x-parity security surface in two layered forms (ESM-first primary + DI thin shims), matching architecture.md §1.createSce/sce,createSceDelegate/sceDelegate, fulltrustAs*/getTrusted*/parseAs*shortcuts across the 5 public contexts (html, url, resourceUrl, js, css),SCE_CONTEXTS, and theTrustedValueclass hierarchy (TrustedResourceUrl extends TrustedUrlfor AngularJS subtype parity).$SceProvider/$SceDelegateProviderregistered onngModule.$sceProvider.enabled(value?)toggles strict mode at config time (default ON).$sceDelegateProvider.trustedResourceUrlList/.bannedResourceUrlListconfigure the resource-URL matcher with'self', string wildcards (**/*with AngularJS[^:/?#]*parity), andRegExpentries. Block-list wins over allow-list.$interpolateintegration:trustedContextnarrowed fromstring→SceContext; compile-time single-binding enforcement when strict mode is active; render-time trust unwrapping via$sce.getTrusted../scesubpath added topackage.jsonexports androllup.config.mjs;@sce/*path alias added totsconfig.json,vitest.config.ts,rollup.config.mjs.Test plan
pnpm lint— cleanpnpm format:check— cleanpnpm typecheck— clean (tsc --noEmit)pnpm test— 1294/1294 green across 31 files (+221 tests vs. baseline 1073; 8 new test files cover ESM factory, delegate, provider, DI integration, interpolate-sce integration, resource-URL matcher; 11 tests ported from upstreamsceSpecs.js)pnpm build— dual ESM + CJS +.d.tsgenerated for every subpath including new./scefunctional-spec.mdmarked[x]; spec + tech-considerations Status set toCompleted; roadmapSecurity ($sce)item tickedDocs
CLAUDE.mdgains./interpolate+./sceModules rows, two non-obvious invariants (frozen strict mode;TrustedResourceUrlsubtype rule), and two "where to look" entries.context/product/product-definition.md§ 2.1 Core Features lists Security ($sce) with both surfaces named.@exampleblocks show the typical allow-list config and the$sce.trustAsHtml+$interpolatepairing.🤖 Generated with Claude Code