Return to Blog
XLTS for AngularJS 1.5.x
XLTS for AngularJS v1.5.15 Released
XLTS for AngularJS v1.5.15 announcements and release notes.
Share via:

daintily-cracking
This release introduces features and fixes, including breaking changes, related to the $http module that improve security when using JSONP. It also updates the license field in our package.json based on the latest npm documentation.
Bug Fixes
- $http:- fix a potential DoS RegExp issue
 
New Features
- $http:- a JSONP callback must be specified by jsonpCallbackParamconfig- This fixes a Medium Severity JSONP Callback Attack vulnerability.
 
- all JSONP requests now require a trusted resource URL- This fixes a Medium Severity XSS vulnerability.
 
 
- a JSONP callback must be specified by 
Breaking Changes
$http due to:
- a JSONP callback must be specified by jsonpCallbackParamconfig
 You can no longer use theJSON_CALLBACKplaceholder in your JSONP requests. Instead, you must provide the name of the query parameter that will pass the callback via thejsonpCallbackParamproperty of the config object, or app-wide via the$http.defaults.jsonpCallbackParamproperty, which is"callback"by default.
 Before this change:$http.json('trusted/url?callback=JSON_CALLBACK');
 $http.json('other/trusted/url', { params: { cb: 'JSON_CALLBACK' } });
 A
 $http.json('trusted/url');
 $http.json('other/trusted/url', { callbackParam: 'cb' });
 
- all JSONP requests now require a trusted resource URL
 All JSONP requests now require the URL to be trusted as resource URLs. There are two approaches to trust a URL:
 Whitelisting with the
 $sceDelegateProvider.resourceUrlWhitelist()method.
 You configure this list in a module configuration block:
 appModule.config([
 '$sceDelegateProvider',
 function ($sceDelegateProvider) {
 $sceDelegateProvider.resourceUrlWhiteList([
 // Allow same origin resource loads.
 'self',
 // Allow JSONP calls that match this pattern
 'https://some.dataserver.com/**.jsonp?**',
 ]);
 },
 ]);
 Explicitly trusting the URL via the$sce.trustAsResourceUrl(url)method
 You can pass a trusted object instead of a string as a URL to the$httpservice:var promise = $http.jsonp($sce.trustAsResourceUrl(url));
With this release, we have completed the process of back-porting all the security fixes from AngularJS 1.8.2 to XLTS for AngularJS 1.5.x.
FAQ
Updated: March 5, 2024
The first high-severity CVE since AngularJS End of Life has been officially reported. For AngularJS Never-Ending Support (formerly XLTS) clients, we found this CVE last year and issued a fix immediately. For all others, as Google’s official AngularJS long-term support partner, we encourage you to either:
- Migrate off of AngularJS, or
- Contact HeroDevs about how you can keep your AngularJS environment secure, compliant, and compatible indefinitely.
Subscribe for New Post Alerts
Oops! Something went wrong while submitting the form.

