AngularJS version 1.2 introduces several breaking changes that may require changes to your application's source code.
Although we try to avoid breaking changes, there are some cases where it is unavoidable. AngularJS 1.2 has undergone a thorough security review to make applications safer by default, which has driven many of these changes. Several new features, especially animations, would not be possible without a few changes. Finally, some outstanding bugs were best fixed by changing an existing API.
Note: AngularJS versions 1.1.x are considered "experimental" with breaking changes between minor releases. Version 1.2 is the result of several versions on the 1.1 branch, and has a stable API.
If you have an application on 1.1 and want to migrate it to 1.2, everything in the guide below should still apply, but you may want to consult the changelog as well.
Just like ngResource
, ngRoute
is now its own module.
Applications that use $route
, ngView
, and/or $routeParams
will now need to load an
angular-route.js
file and have their application's module dependency on the ngRoute
module.
Before:
<script src="angular.js"></script>
var myApp = angular.module('myApp', ['someOtherModule']);
After:
<script src="angular.js"></script>
<script src="angular-route.js"></script>
var myApp = angular.module('myApp', ['ngRoute', 'someOtherModule']);
See 5599b55b.
$parse
and templates in general will no longer automatically unwrap promises.
Before:
$scope.foo = $http({method: 'GET', url: '/someUrl'});
<p>{{foo}}</p>
After:
$http({method: 'GET', url: '/someUrl'})
.success(function(data) {
$scope.foo = data;
});
<p>{{foo}}</p>
This feature has been deprecated. If absolutely needed, it can be reenabled for now via the
$parseProvider.unwrapPromises(true)
API.
$route
To migrate the code, follow the example below. Here, *highlight
becomes :highlight*
Before:
$routeProvider.when('/Book1/:book/Chapter/:chapter/*highlight/edit',
{controller: noop, templateUrl: 'Chapter.html'});
After:
$routeProvider.when('/Book1/:book/Chapter/:chapter/:highlight*/edit',
{controller: noop, templateUrl: 'Chapter.html'});
See 04cebcc1.
*[src]
, *[ng-src]
or action
With the exception of <a>
and <img>
elements, you cannot bind more than one expression to the
src
or action
attribute of elements.
This is one of several improvements to security introduces by Angular 1.2.
Concatenating expressions makes it hard to understand whether some combination of concatenated
values are unsafe to use and potentially subject to XSS vulnerabilities. To simplify the task of
auditing for XSS issues, we now require that a single expression be used for *[src/ng-src]
bindings such as bindings for iframe[src]
, object[src]
, etc. In addition, this requirement is
enforced for form
tags with action
attributes.
Examples | |
---|---|
<img src="{{a}}/{{b}}"> |
ok |
<iframe src="{{a}}/{{b}}"></iframe> |
bad |
<iframe src="{{a}}"></iframe> |
ok |
To migrate your code, you can combine multiple expressions using a method attached to your scope.
Before:
scope.baseUrl = 'page';
scope.a = 1;
scope.b = 2;
<!-- Are a and b properly escaped here? Is baseUrl controlled by user? -->
<iframe src="{{baseUrl}}?a={{a}&b={{b}}">
After:
var baseUrl = "page";
scope.getIframeSrc = function() {
// One should think about their particular case and sanitize accordingly
var qs = ["a", "b"].map(function(value, name) {
return encodeURIComponent(name) + "=" +
encodeURIComponent(value);
}).join("&");
// `baseUrl` isn't exposed to a user's control, so we don't have to worry about escaping it.
return baseUrl + "?" + qs;
};
<iframe src="{{getIframeSrc()}}">
See 38deedd6.
DOM event handlers execute arbitrary Javascript code. Using an interpolation for such handlers
means that the interpolated value is a JS string that is evaluated. Storing or generating such
strings is error prone and leads to XSS vulnerabilities. On the other hand, ngClick
and other
Angular specific event handlers evaluate Angular expressions in non-window (Scope) context which
makes them much safer.
To migrate the code follow the example below:
Before:
JS: scope.foo = 'alert(1)';
HTML: <div onclick="{{foo}}">
After:
JS: scope.foo = function() { alert(1); }
HTML: <div ng-click="foo()">
See 39841f2e.
This change was necessary to enable multi-element directives. The best fix is to rename existing directives so that they don't end with these suffixes.
See e46100f7.
The reason for this change is to align $q
with the Q promise
library, despite the fact that this makes it a bit more difficult
to use with non-ES5 browsers, like IE8.
finally
also goes well together with the catch
API that was added to $q
recently and is part
of the DOM promises standard.
To migrate the code follow the example below.
Before:
$http.get('/foo').always(doSomething);
After:
$http.get('/foo').finally(doSomething);
Or for IE8-compatible code:
$http.get('/foo')['finally'](doSomething);
See f078762d.
Many touch-enabled devices are not mobile devices, so we decided to rename this module to better reflect its concerns.
To migrate, replace all references to ngMobile
with ngTouch
and angular-mobile.js
with
angular-touch.js
.
See 94ec84e7.
Resource instances do not have a $then
function anymore. Use the $promise.then
instead.
Before:
Resource.query().$then(callback);
After:
Resource.query().$promise.then(callback);
See 05772e15.
Methods of a resource instance return the promise rather than the instance itself.
Before:
resource.$save().chaining = true;
After:
resource.$save();
resource.chaining = true;
See 05772e15.
On success, the resource promise is resolved with the resource instance rather than HTTP response object.
Use interceptor API to access the HTTP response object.
Before:
Resource.query().$then(function(response) {...});
After:
var Resource = $resource('/url', {}, {
get: {
method: 'get',
interceptor: {
response: function(response) {
// expose response
return response;
}
}
}
});
See 05772e15.
$location.search
now supports multiple keys with the
same value provided that the values are stored in an array.
Before this change:
parseKeyValue
only took the last key overwriting all the previous keys.toKeyValue
joined the keys together in a comma delimited string.This was deemed buggy behavior. If your server relied on this behavior then either the server
should be fixed, or a simple serialization of the array should be done on the client before
passing it to $location
.
See 80739409.
ngBindHtml
which has been moved from ngSanitize
module to the core ng
module.
ngBindHtml
provides ngBindHtmlUnsafe
like
behavior (evaluate an expression and innerHTML the result into the DOM) when bound to the result
of $sce.trustAsHtml(string)
. When bound to a plain string, the string is sanitized via
$sanitize
before being innerHTML'd. If the $sanitize
service isn't available (ngSanitize
module is not loaded) and the bound expression evaluates to a value that is not trusted an
exception is thrown.
See dae69473.
If you have form names that will evaluate as an expression:
<form name="ctrl.form">
And if you are accessing the form from your controller:
Before:
function($scope) {
$scope['ctrl.form'] // form controller instance
}
After:
function($scope) {
$scope.ctrl.form // form controller instance
}
This makes it possible to access a form from a controller using the new "controller as" syntax. Supporting the previous behavior offers no benefit.
See 8ea802a1.
Inputs with name equal to hasOwnProperty
are not allowed inside form or ngForm directives.
Before, inputs whose name was "hasOwnProperty" were quietly ignored and not added to the scope. Now a badname exception is thrown. Using "hasOwnProperty" for an input name would be very unusual and bad practice. To migrate, change your input name.
See 7a586e5c.
The order of postLink fn is now mirror opposite of the order in which corresponding preLinking and compile functions execute.
Previously the compile/link fns executed in order, sorted by priority:
# | Step | Old Sort Order | New Sort Order |
---|---|---|---|
1 | Compile Fns | High → Low | |
2 | Compile child nodes | ||
3 | PreLink Fns | High → Low | |
4 | Link child nodes | ||
5 | PostLink Fns | High → Low | Low → High |
"High → Low" here refers to the priority
option of a directive.
Very few directives in practice rely on the order of postLinking functions (unlike on the order of compile functions), so in the rare case of this change affecting an existing directive, it might be necessary to convert it to a preLinking function or give it negative priority.
You can look at the diff of this commit to see how an internal attribute interpolation directive was adjusted.
See 31f190d4.
the priority of ngRepeat, ngSwitchWhen, ngIf, ngInclude and ngView has changed. This could affect directives that explicitly specify their priority.
In order to make ngRepeat, ngSwitchWhen, ngIf, ngInclude and ngView work together in all common scenarios their directives are being adjusted to achieve the following precedence:
Directive | Old Priority | New Priority |
---|---|---|
ngRepeat | 1000 | 1000 |
ngSwitchWhen | 500 | 800 |
ngIf | 1000 | 600 |
ngInclude | 1000 | 400 |
ngView | 1000 | 400 |
See b7af76b4.
browserTrigger now uses an eventData object instead of direct parameters for mouse events.
To migrate, place the keys
,x
and y
parameters inside of an object and place that as the
third parameter for the browserTrigger function.
See 28f56a38.
Previously ngInclude
and ngView
only updated its element's content. Now these directives will
recreate the element every time a new content is included.
This ensures that a single rootElement for all the included contents always exists, which makes definition of css styles for animations much easier.
A whitelist configured via $compileProvider
can be used to configure what URLs are considered safe.
By default all common protocol prefixes are whitelisted including data:
URIs with mime types image/*
.
This change shouldn't impact apps that don't contain malicious image links.
scope
propertyIf you declare a scope option on a directive, that directive will have an isolate scope. In Angular 1.0, if a directive with an isolate scope is used on an element, all directives on that same element have access to the same isolate scope. For example, say we have the following directives:
// This directive declares an isolate scope.
.directive('isolateScope', function() {
return {
scope: {},
link: function($scope) {
console.log('one = ' + $scope.$id);
}
};
})
// This directive does not.
.directive('nonIsolateScope', function() {
return {
link: function($scope) {
console.log('two = ' + $scope.$id);
}
};
});
Now what happens if we use both directives on the same element?
<div isolate-scope non-isolate-scope></div>
In Angular 1.0, the nonIsolateScope directive will have access to the isolateScope directive’s scope. The log statements will print the same id, because the scope is the same. But in Angular 1.2, the nonIsolateScope will not use the same scope as isolateScope. Instead, it will inherit the parent scope. The log statements will print different id’s.
If your code depends on the Angular 1.0 behavior (non-isolate directive needs to access state from within the isolate scope), change the isolate directive to use scope locals to pass these explicitly:
Before
<input ng-model="$parent.value" ng-isolate>
.directive('ngIsolate', function() {
return {
scope: {},
template: '{{value}}'
};
});
After
<input ng-model="value" ng-isolate>
.directive('ngIsolate', function() {
return {
scope: {value: '=ngModel'},
template: '{{value}}
};
});
See 909cabd3, #1924 and #2500.
Previously, the interpolation priority was -100
in 1.2.0-rc.2, and 100
before 1.2.0-rc.2.
Before this change the binding was setup in the post-linking phase.
Now the attribute interpolation (binding) executes as a directive with priority 100 and the binding is set up in the pre-linking phase.
See 79223eae, #4525, #4528, and #4649
Reverted: This breaking change has been reverted in 1.2.1, and so can be ignored if you're using version 1.2.1 or higher
This change introduces the notion of "private" properties (properties
whose names begin and/or end with an underscore) on the scope chain.
These properties will not be available to Angular expressions (i.e. {{
}} interpolation in templates and strings passed to $parse
) They are
freely available to JavaScript code (as before).
Motivation
Angular expressions execute in a limited context. They do not have
direct access to the global scope, window
, document
or the Function
constructor. However, they have direct access to names/properties on
the scope chain. It has been a long standing best practice to keep
sensitive APIs outside of the scope chain (in a closure or your
controller.) That's easier said that done for two reasons:
controller as
syntax that's now in increased usage exposes the
entire controller on the scope chain greatly increasing the exposed surface.Though Angular expressions are written and controlled by the developer, they:
This commit provides a way, via a naming convention, to allow restricting properties from controllers/scopes. This means Angular expressions can access only those properties that are actually needed by the expressions.
See 3d6a89e8.
Switching between select[single]
and select[multiple]
has always been odd due to browser quirks.
This feature never worked with two-way data-binding so it's not expected that anyone is using it.
If you are interested in properly adding this feature, please submit a pull request on Github.
See d87fa004.
AngularJS uses the Google Closure library's locale files. The following locales were removed from Closure, so Angular is not able to continue to support them:
chr
, cy
, el-polyton
, en-zz
, fr-rw
, fr-sn
, fr-td
, fr-tg
, haw
, it-ch
, ln-cg
,
mo
, ms-bn
, nl-aw
, nl-be
, pt-ao
, pt-gw
, pt-mz
, pt-st
, ro-md
, ru-md
, ru-ua
,
sr-cyrl-ba
, sr-cyrl-me
, sr-cyrl
, sr-latn-ba
, sr-latn-me
, sr-latn
, sr-rs
, sv-fi
,
sw-ke
, ta-lk
, tl-ph
, ur-in
, zh-hans-hk
, zh-hans-mo
, zh-hans-sg
, zh-hans
,
zh-hant-hk
, zh-hant-mo
, zh-hant-tw
, zh-hant
Although these locales were removed from the official AngularJS repository, you can continue to load and use your copy of the locale file provided that you maintain it yourself.
See 6382e21f.
Previously, the service constructor only returned objects regardless of whether a function was returned.
Now, $injector.instantiate
(and thus $provide.service
) behaves the same as the native
new
operator and allows functions to be returned as a service.
If using a JavaScript preprocessor it's quite possible when upgrading that services could start behaving incorrectly. Make sure your services return the correct type wanted.
Coffeescript example
myApp.service 'applicationSrvc', ->
@something = "value"
@someFunct = ->
"something else"
pre 1.2 this service would return the whole object as the service.
post 1.2 this service returns someFunct
as the value of the service
you would need to change this services to
myApp.service 'applicationSrvc', ->
@something = "value"
@someFunct = ->
"something else"
return
to continue to return the complete instance.
See c22adbf1.