chore(deps): update dependency @angular/compiler to v21.2.4 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/compiler (source)	21.1.0 → 21.2.4

GitHub Vulnerability Alerts

CVE-2026-22610

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context.

In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.

When template binding is used to assign user-controlled data to these attributes for example, <script [attr.href]="userInput"> the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a data:text/javascript URI or a link to an external malicious script.

Impact

When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to:

• Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens.
• Data Exfiltration: Accessing and transmitting sensitive information displayed within the application.
• Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

Attack Preconditions

1. The victim application must explicitly use SVG <script> elements within its templates.
2. The application must use property or attribute binding (interpolation) for the href or xlink:href attributes of those SVG scripts.
3. The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses).

Patches

• 19.2.18
• 20.3.16
• 21.0.7
• 21.1.0-rc.0

Workarounds

Until the patch is applied, developers should:

• Avoid Dynamic Bindings: Do not use Angular template binding (e.g., [attr.href]) for SVG <script> elements.
• Input Validation: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template.

Resources

• https://github.com/angular/angular/pull/66318

CVE-2026-32635

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script.

The following example illustrates the issue:

<a href="" i18n-href>Click me</a>

The following attributes have been confirmed to be vulnerable:

• action
• background
• cite
• codebase
• data
• formaction
• href
• itemtype
• longdesc
• poster
• src
• xlink:href

Impact

When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:

• Session Hijacking: Stealing session cookies and authentication tokens.
• Data Exfiltration: Capturing and transmitting sensitive user data.
• Unauthorized Actions: Performing actions on behalf of the user.

Attack Preconditions

1. The application must use a vulnerable version of Angular.
2. The application must bind unsanitized user input to one of the attributes mentioned above.
3. The bound value must be marked for internationalization via the presence of a i18n-<name> attribute on the same element.

Patches

• 22.0.0-next.3
• 21.2.4
• 20.3.18
• 19.2.20

Workarounds

The primary workaround is to ensure that any data bound to the vulnerable attributes is never sourced from untrusted user input (e.g., database, API response, URL parameters) until the patch is applied, or when it is, it shouldn't be marked for internationalization.

Alternatively, users can explicitly sanitize their attributes by passing them through Angular's DomSanitizer:

import {Component, inject, SecurityContext} from '@​angular/core';
import {DomSanitizer} from '@​angular/platform-browser';

@​Component({
  template: `
    <form action="" i18n-action>
      <button>Submit</button>
    </form>
  `,
})
export class App {
  url: string;

  constructor() {
    const dangerousUrl = 'javascript:alert(1)';
    const sanitizer = inject(DomSanitizer);
    this.url = sanitizer.sanitize(SecurityContext.URL, dangerousUrl) || '';
  }
}

References

• Fix 1
• Fix 2

---

Release Notes

angular/angular (@​angular/compiler)

v21.2.4

Compare Source

compiler

Commit	Type	Description
ed2d324f9c	fix	disallow translations of iframe src

core

Commit	Type	Description
abbd8797bb	fix	reverts "feat(core): add support for nested animations"
d1dcd16c5b	fix	sanitize translated form attributes

v21.2.3

Compare Source

core

Commit	Type	Description
62a97f7e4b	fix	ensure definitions compile
21b1c3b2ee	fix	include signal debug names in their toString() representation
224e60ecb1	fix	sanitize translated attribute bindings with interpolations

v21.2.2

Compare Source

compiler

Commit	Type	Description
1df1697c6e	fix	prevent mutation of children array in RecursiveVisitor

compiler-cli

Commit	Type	Description
c822bf8e76	fix	always parenthesize object literals in TCB
05d022d5e6	fix	ignore generated ngDevMode signal branch for code coverage

forms

Commit	Type	Description
670d1660c4	feat	add 'blur' option to debounce rule

v21.2.1

Compare Source

core

Commit	Type	Description
e2e9a9a531	fix	adds transfer cache to httpResource to fix hydration
b4ec3cc4e4	fix	prevent child animation elements from being orphaned
e923d88398	fix	Prevent removal of elements during drag and drop

http

Commit	Type	Description
277ade97ac	fix	correctly cache blob responses in transfer cache (#​67002)

v21.2.0

Compare Source

common

Commit	Type	Description
18003a33bb	feat	add an 'outlet' injector option for ngTemplateOutlet
8bbe6dc46c	feat	Add Location strategies to manage trailing slash on write
51cc914807	feat	support height in ImageLoaderConfig and built-in loaders

compiler

Commit	Type	Description
72534e2a34	feat	Add support for the instanceof binary operator
95b3f37d4a	feat	Exhaustive checks for switch blocks
04ba09a8d9	feat	support AstVisitor.visitEmptyExpr()
ce80136e7b	fix	optimize away unnecessary restore/reset view calls
3242a61bae	fix	variable counter visiting some expressions twice

compiler-cli

Commit	Type	Description
473dd3e1cb	fix	attach source spans to object literal keys in TCB
a904d9f77b	fix	support nested component declaration
2ea6dfc6c9	fix	update diagnostic to flag no-op arrow functions in listeners

core

Commit	Type	Description
8d5210c9fe	feat	add ChangeDetectionStrategy.Eager alias for Default
92d2498910	feat	add host node to DeferBlockData (#​66546)
ea2016a6dc	feat	add support for nested animations
81cabc1477	feat	add support for TypeScript 6
1ba9b7ac50	feat	resource composition via snapshots
d9923b72a2	feat	support arrow functions in expressions
a7e8abbb7e	fix	correctly handle SkipSelf when resolving from embedded view injector
0806ee3826	fix	prevent animated element duplication with dynamic components in zoneless mode
ed78fa05c7	fix	Remove note to skip arrow functions in best practices

forms

Commit	Type	Description
f56bb07d83	feat	add field param to submit action and onInvalid
ba009b6031	feat	add form directive
22afbb2f36	feat	add parsing support to native inputs (#​66917)
95c386469c	feat	Add passing focus options to form field
95ecce8334	feat	allow setting submit options at form-level
ebae211add	feat	introduce parse errors in signal forms
3937afc316	feat	introduce SignalFormControl for Reactive Forms compatibility
30f0914754	feat	support binding null to number input (#​66917)
dd208ca259	feat	update submit function to accept options object
27397b3f4f	fix	clear parse errors when model updates (#​66917)
63d8005703	fix	preserve custom-control focus context in signal forms
631f60d1f9	fix	preserve parse errors when parse returns value
adfb83146b	fix	simplify design of parse errors
fb05fc86d0	fix	sort error summary by DOM order
567f292e8e	fix	support custom controls as host directives
bdfb60f3e3	fix	use consistent error format returned from parse
d75046bc09	fix	warn when showing hidden field state

language-server

Commit	Type	Description
ebc90c26f5	feat	Add completions and hover info for inline styles
26fd0839c3	feat	Add folding range support for inline styles
573aadef7e	feat	Add quick info for inline styles
6fb39d9b62	feat	Support client-side file watching via onDidChangeWatchedFiles

language-service

Commit	Type	Description
496967e7b1	feat	add JSON schema for angularCompilerOptions
8c21866f49	feat	add linked editing ranges for HTML tag synchronization
d2137928e8	perf	use lightweight project warmup for Angular analysis

router

Commit	Type	Description
b51bab583d	feat	Add partial ActivatedRouteSnapshot information to canMatch params
cf9620f7d0	feat	Make match options optional in isActive
907a94dcec	feat	Update IsActiveMatchOptions APIs to accept a Partial

v21.1.6

Compare Source

Breaking Changes

core

• Angular now only applies known attributes from HTML in translated ICU content. Unknown attributes are dropped and not rendered.

  (cherry picked from commit 306f367)

common

Commit	Type	Description
31d3d56496	fix	fix LCP image detection with duplicate URLs

compiler-cli

Commit	Type	Description
24b578ce90	fix	detect uninvoked functions in defer trigger expressions

core

Commit	Type	Description
b858309532	fix	block creation of sensitive URI attributes from ICU messages

v21.1.5

Compare Source

No user facing changes in this release

v21.1.4

Compare Source

compiler

Commit	Type	Description
caab23dfe6	fix	add geolocation element to schema

core

Commit	Type	Description
2b99eaa019	fix	capture animation dependencies eagerly to avoid destroyed injector
d6aeac504c	fix	Fix flakey test due to document injection

forms

Commit	Type	Description
0d1acd0165	feat	support signal-based schemas in validateStandardSchema

http

Commit	Type	Description
3905015ccc	fix	correctly parse ArrayBuffer and Blob in transfer cache

v21.1.3

Compare Source

core

Commit	Type	Description
2b254bc050	fix	linkedSignal.update should propagate errors
e5110b4fa1	fix	export DirectiveWithBindings
2cf4da0ea1	fix	hold constructors weakly in DepsTracker cache
70a5b651be	fix	prevent element duplication with dynamic components

forms

Commit	Type	Description
6f75b6e3f6	fix	Resolves debounce promise on abort in debounceForDuration

localize

Commit	Type	Description
4c7126d23b	fix	add support for unit-test builder in ng-add schematic

router

Commit	Type	Description
d6268c0bbb	fix	limit UrlParser recursion depth to prevent stack overflow
49a36f4cc7	perf	Use .bind to avoid holding other closures in memory

v21.1.2

Compare Source

forms

Commit	Type	Description
9f99b14882	fix	only touch visible, interactive fields on submit

language-service

Commit	Type	Description
c57b0355b5	fix	Detect local project version on creation

router

Commit	Type	Description
21ecdc036a	fix	Do not intercept reload events with Navigation integration

v21.1.1

Compare Source

compiler-cli

Commit	Type	Description
0e1f1ed573	fix	drop .tsx extension for generated relative imports

core

Commit	Type	Description
05adfcf8f2	fix	handle Set in class bindings

forms

Commit	Type	Description
d89a80a970	feat	Ability to manually register a form field binding in signal forms
cb75f9ce85	fix	fix control value syncing on touch

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.