René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"$processModelValue() cannot pass objects through $formatters properly","articleBody":"\r\n**I'm submitting a ...**\r\n\u003c!-- (check one with \"x\") --\u003e\r\n- [ ] regression from 1.7.0\r\n- [X] security issue\r\n- [ ] issue caused by a new browser version\r\n- [ ] other: .\r\n\r\n**Current behavior:**\r\nCurrently, $setViewValue(value) function accepts objects as a value, but requires them to be a angular.copy of the previous object - since otherwise it will not detect the change (no deep comparison). This is expected and documented behaviour. The opposite function, however, $processModelValue() function cannot properly process the $modelValue which is an object (an end result of the $setViewValue(object) function above), even though it implicitly should. It improperly treats it as a simple type, and within the $$format() function makes new $viewValue and $modelValue be the two references to the same object with properties - and therefore all $formatters also affect $modelValue where they should not - which affects $validators and causes them to fail where they should succeed. \r\n\r\nThis means that $modelValue object is being stored directly from user input, circumventing parsers altogether - which is a security concern.\r\n\r\n**Expected behavior:**\r\nThe $processModelValue() and consequently $$format() functions should properly detect if the $modelValue is an object, and ensure that formatters only act on a copy of the original $modelValue object, which copy the $$format() function should return.\r\n\r\n**Minimal reproduction of the problem with instructions:**\r\n\r\n**AngularJS version:** 1.7.9\r\n\r\n**Browser:** should be affecting ALL browsers, explicitly observed in Chrome 81\r\n\r\n**Anything else:**\r\nCan be fixed by replacing the line 1042 of ngModel.js file:\r\nFrom:\r\n`var viewValue = this.$modelValue;`\r\nTo:\r\n`var viewValue = angular.copy(this.$modelValue);`\r\n","author":{"url":"https://github.com/alutsky","@type":"Person","name":"alutsky"},"datePublished":"2020-04-23T21:19:25.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/17019/angular.js/issues/17019"}