diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index c2f27485348f..f5513f23390c 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -31,7 +31,7 @@ please provide the *STEPS TO REPRODUCE* and if possible a *MINIMAL DEMO* of the https://plnkr.co or similar (you can use this template as a starting point: http://plnkr.co/edit/tpl:yBpEi4). --> -**AngularJS version:** 1.7.x +**AngularJS version:** 1.8.x diff --git a/docs/content/guide/migration.ngdoc b/docs/content/guide/migration.ngdoc index 155f39cc4a29..c982677cd3d8 100644 --- a/docs/content/guide/migration.ngdoc +++ b/docs/content/guide/migration.ngdoc @@ -15,6 +15,30 @@ which drives many of these changes. * Several new features, especially animations, would not be possible without a few changes. * Finally, some outstanding bugs were best fixed by changing an existing API. +## Migrating from 1.7 to 1.8 + +Generally updating to 1.8.0 from 1.7.x should be a straightforward process and is highly recommended. +AngularJS 1.8 is a breaking change release from 1.7 to mitigate a security issue. + +JqLite no longer turns XHTML-like strings like `
` to sibling elements when not in XHTML +mode: `
`. +Instead it will leave the elements alone. In non-XHTML mode the browser will convert these to nested +elements: `
`. + +This is a security fix to avoid an XSS vulnerability if a new jqLite element is created from a +user-controlled HTML string. If you must have this functionality and understand the risk involved +then it is posible to restore the original behavior by calling + +```js +angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement(); +``` + +But you should adjust your code for this change and remove your use of this function as soon as +possible. + +Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the +[jQuery 3.5 upgrade guide](https://jquery.com/upgrade-guide/3.5/) for more details about the workarounds. + ## Migrating from 1.6 to 1.7 diff --git a/docs/content/misc/faq.ngdoc b/docs/content/misc/faq.ngdoc index 06e6d808bf80..4c03000da83a 100644 --- a/docs/content/misc/faq.ngdoc +++ b/docs/content/misc/faq.ngdoc @@ -174,8 +174,9 @@ Yes, AngularJS can use [jQuery](http://jquery.com/) if it's present in your app application is being bootstrapped. If jQuery is not present in your script path, AngularJS falls back to its own implementation of the subset of jQuery that we call {@link angular.element jQLite}. -AngularJS 1.3 only supports jQuery 2.1 or above. jQuery 1.7 and newer might work correctly with AngularJS -but we don't guarantee that. +For AngularJS 1.8 we support jQuery 2.1+ but we suggest jQuery 3.5.1 or above to avoid a potential +security issue. Earlier versions of jQuery might work correctly with AngularJS but we don't guarantee +that. ### What is testability like in AngularJS? diff --git a/docs/content/misc/version-support-status.ngdoc b/docs/content/misc/version-support-status.ngdoc index b459c5459ef1..368d4b67d904 100644 --- a/docs/content/misc/version-support-status.ngdoc +++ b/docs/content/misc/version-support-status.ngdoc @@ -10,7 +10,7 @@ This page describes the support status of the significant versions of AngularJS. On July 1, 2018 AngularJS entered a 3 year Long Term Support period.
-Any version branch not shown in the following table (e.g. 1.6.x) is no longer being developed. +Any version branch not shown in the following table (e.g. 1.7.x) is no longer being developed. @@ -23,7 +23,7 @@ Any version branch not shown in the following table (e.g. 1.6.x) is no longer be - + @@ -36,9 +36,9 @@ On July 1st 2018, AngularJS entered a Long Term Support period. We now focus exclusively on providing fixes to bugs that satisfy at least one of the following criteria: -* A security flaw is detected in the 1.7.x branch of the framework -* One of the major browsers releases a version that will cause current production applications using AngularJS 1.7.x to stop working -* The jQuery library releases a version that will cause current production applications using AngularJS 1.7.x to stop working. +* A security flaw is detected in the 1.8.x branch of the framework +* One of the major browsers releases a version that will cause current production applications using AngularJS 1.8.x to stop working +* The jQuery library releases a version that will cause current production applications using AngularJS 1.8.x to stop working. AngularJS 1.2.x will get a new version if and only if a new severe security issue is discovered. diff --git a/docs/content/tutorial/step_09.ngdoc b/docs/content/tutorial/step_09.ngdoc index a6d3d7c652e1..d56265e7fe13 100644 --- a/docs/content/tutorial/step_09.ngdoc +++ b/docs/content/tutorial/step_09.ngdoc @@ -34,16 +34,16 @@ Since we are using [npm][npm] to install client-side dependencies, this step upd "name": "angular-phonecat", ... "dependencies": { - "angular": "1.7.x", - "angular-route": "1.7.x", + "angular": "1.8.x", + "angular-route": "1.8.x", "bootstrap": "3.3.x" }, ... } ``` -The new dependency `"angular-route": "1.7.x"` tells npm to install a version of the angular-route -module that is compatible with version 1.7.x of AngularJS. We must tell npm to download and install +The new dependency `"angular-route": "1.8.x"` tells npm to install a version of the angular-route +module that is compatible with version 1.8.x of AngularJS. We must tell npm to download and install this dependency. ``` diff --git a/docs/content/tutorial/step_13.ngdoc b/docs/content/tutorial/step_13.ngdoc index 9a09f417a238..c514425377d8 100644 --- a/docs/content/tutorial/step_13.ngdoc +++ b/docs/content/tutorial/step_13.ngdoc @@ -32,17 +32,17 @@ Since we are using [npm][npm] to install client-side dependencies, this step upd "name": "angular-phonecat", ... "dependencies": { - "angular": "1.7.x", - "angular-resource": "1.7.x", - "angular-route": "1.7.x", + "angular": "1.8.x", + "angular-resource": "1.8.x", + "angular-route": "1.8.x", "bootstrap": "3.3.x" }, ... } ``` -The new dependency `"angular-resource": "1.7.x"` tells npm to install a version of the -angular-resource module that is compatible with version 1.7.x of AngularJS. We must tell npm to +The new dependency `"angular-resource": "1.8.x"` tells npm to install a version of the +angular-resource module that is compatible with version 1.8.x of AngularJS. We must tell npm to download and install this dependency. ``` diff --git a/docs/content/tutorial/step_14.ngdoc b/docs/content/tutorial/step_14.ngdoc index f7b09777ae02..9b17f46e6d5c 100644 --- a/docs/content/tutorial/step_14.ngdoc +++ b/docs/content/tutorial/step_14.ngdoc @@ -36,20 +36,20 @@ Since we are using [npm][npm] to install client-side dependencies, this step upd "name": "angular-phonecat", ... "dependencies": { - "angular": "1.7.x", - "angular-animate": "1.7.x", - "angular-resource": "1.7.x", - "angular-route": "1.7.x", + "angular": "1.8.x", + "angular-animate": "1.8.x", + "angular-resource": "1.8.x", + "angular-route": "1.8.x", "bootstrap": "3.3.x", - "jquery": "3.3.x" + "jquery": "^3.5.1" }, ... } ``` -* `"angular-animate": "1.7.x"` tells npm to install a version of the angular-animate module that - is compatible with version 1.7.x of AngularJS. -* `"jquery": "3.3.x"` tells npm to install the latest patch release of the 3.3 version of jQuery. +* `"angular-animate": "1.8.x"` tells npm to install a version of the angular-animate module that + is compatible with version 1.8.x of AngularJS. +* `"jquery": "^3.5.1"` tells npm to install a version of jQuery that is compatible with 3.5.x and at least 3.5.1. Note that this is not an AngularJS library; it is the standard jQuery library. We can use npm to install a wide range of 3rd party libraries. diff --git a/package.json b/package.json index 0931b5ced3b9..570edbaa2427 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "name": "angular", "license": "MIT", "branchVersion": "^1.7.0", - "branchPattern": "1.7.*", + "branchPattern": "1.8.*", "distTag": "next", "repository": { "type": "git",
Last version to provide IE 8 support
1.7.x1.8.x Long Term Support See {@link version-support-status#long-term-support Long Term Support} section below.