Skip to content

fix(compiler): restrict possible event handler check to property names longer than 2 characters#69306

Open
alan-agius4 wants to merge 1 commit into
angular:mainfrom
alan-agius4:fix-i18n-event-handler-length-check
Open

fix(compiler): restrict possible event handler check to property names longer than 2 characters#69306
alan-agius4 wants to merge 1 commit into
angular:mainfrom
alan-agius4:fix-i18n-event-handler-length-check

Conversation

@alan-agius4

@alan-agius4 alan-agius4 commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Previously, the compiler disallowed translation of any attribute starting with 'on' for security reasons. This incorrectly disallowed translation of the 'on' attribute itself, which is not an event handler.

This commit introduces isPossibleEventHandler to verify that the property name has a length greater than 2 in addition to starting with 'on'. This allows attributes like 'on' to be translated while still correctly disallowing actual event handlers like 'onerror', 'onclick', etc.

@alan-agius4 alan-agius4 requested a review from JeanMeche June 11, 2026 07:44
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: patch This PR is targeted for the next patch release labels Jun 11, 2026
@pullapprove pullapprove Bot requested a review from josephperrott June 11, 2026 07:44
@angular-robot angular-robot Bot added the area: compiler Issues related to `ngc`, Angular's template compiler label Jun 11, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 11, 2026
@alan-agius4 alan-agius4 mentioned this pull request Jun 11, 2026
Merged
6 tasks
@alan-agius4
fix(compiler): restrict possible event handler check to property name…
5f3333a 
…s longer than 2 characters

Previously, the compiler disallowed translation of any attribute starting with 'on' for security reasons. This incorrectly disallowed translation of the 'on' attribute itself, which is not an event handler.

This commit introduces `isPossibleEventHandler` to verify that the property name has a length greater than 2 in addition to starting with 'on'. This allows attributes like 'on' to be translated while still correctly disallowing actual event handlers like 'onerror', 'onclick', etc.
@alan-agius4 alan-agius4 force-pushed the fix-i18n-event-handler-length-check branch from f3a5fb7 to 5f3333a Compare June 11, 2026 08:21
@Raisolution Raisolution mentioned this pull request Jun 11, 2026
Closed
josephperrott
josephperrott approved these changes Jun 11, 2026
View reviewed changes

@josephperrott josephperrott left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pullapprove pullapprove Bot requested a review from josephperrott June 11, 2026 14:43
josephperrott
josephperrott approved these changes Jun 11, 2026
View reviewed changes

@josephperrott josephperrott left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Reviewed-for: fw-security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@josephperrott josephperrott josephperrott approved these changes

@JeanMeche JeanMeche Awaiting requested review from JeanMeche

Assignees

No one assigned

Labels

action: review The PR is still awaiting reviews from at least one requested reviewer area: compiler Issues related to `ngc`, Angular's template compiler target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

2 participants

@alan-agius4 @josephperrott