DEV Community

Cover image for Ng-News 25/49: Signal Forms & @angular/aria
This is Angular profile image ng-news
ng-news for This is Angular

Posted on

Ng-News 25/49: Signal Forms & @angular/aria

#programming #frontend #angular #webdev

We got a full Q&A with the Angular team, a detailed look at Signal Forms, and an hour-long AngularAir episode on @angular/aria. PrimeNg also released its Angular 21 version.

Signal Forms at Angular Q&A

The December edition of the Angular Q&A session took place. This time, we had three members of the Angular team: Mark Thompson, Jeremy Elbourn, and Kirill Cherkashin, and the episode was mainly about Signal Forms.

Signal Forms were released in v21 as experimental. Kirill doesn't expect huge changes for Signal Forms and said the feedback so far was more about edge cases.

Kirill also mentioned that Signal Forms are already used inside internal Google applications, and he pointed out that due to the experimental status, not all edge cases have been accounted for. The team is allowed to introduce breaking changes.

Other questions were about more advanced features for the DateTimePicker in Angular Material. Jeremy said that there are issues with different locales and that these features require the Temporal API to eventually land in the browser.

Another question was about the status of selectorless components. This feature would allow us to use the class name of a component instead of its selector in the template.
Selectorless is currently down-prioritized because of the AI work the team is doing right now.

Signal Forms at Angular Air

Another very interesting podcast on Signal Forms happened at Angular Air, where Sander Elias gave an overview. He prepared quite a complicated forms example - you could actually call it a "kitchen-sink". The source code for his example is also available.

@angular/aria at Angular Air

Angular Air also hosted Wagner Maciel from the Angular team. Wagner is behind @angular/aria, which was also released in Angular 21.

He gave the following explanation what @angular/aria is all about:

@angular/aria is a set of headless - meaning like completely unstyled - accessibility primitives. There's a role combobox, there's a role menu, a role grid... We want to take the responsibility of implementing the accessibility behind those rules.

A special feature is that @angular/aria can also be used outside of Angular, given that the framework supports Signals. At the moment, they are only using it in Google’s internal framework Wiz.

Angular Material will probably not be based on @angular/aria. It is more likely that new components in Angular Material will be built by using @angular/aria under the hood.

PrimeNg 21

PrimeNG was also released for Angular 21, and it is not just an update of dependencies. The change log says that it now

  • supports zoneless,
  • provides an easy way to pass through properties to the underlying DOM element (like aria-* or data-* prefixes), and
  • introduces unstyled components, which seem similar to what Angular CDK offers.

Earlier this year, there were plans to release a second edition called PrimeNgx. These plans have been dropped, and the focus is now fully on PrimeNg itself.

primeng.org

https://www.reddit.com/r/Angular2/comments/1pdxkom/primeng_v21_has_landed_with_aiready_docs_pt

Security Advisories

And we also got two new security issues which have already been fixed.

XSRF Token Leak Scenario

When using the HttpClient to send a request, Angular performs an internal check to see if the request targets the same origin where the application is served. If the request uses a relative URL, the HttpClient automatically adds an XSRF token to the header to verify the request originated explicitly from the user.

In the reported security issue, this token was leaked because protocol-relative URLs (starting with //) were incorrectly treated as internal relative URLs. Angular versions 19, 20, and 21 have already been patched.

https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37

XSS Vulnerability via Templates

Another security issue was found in the Angular template system. Certain attributes in SVG bypassed the sanitization check, which means attackers could potentially add malicious JavaScript code.
That issue has also been resolved in all main versions currently supported for security updates: 19, 20, and 21.

https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49

Top comments (1)

Collapse
 
mezieb profile image
Okoro chimezie bright

Thanks for sharing and puting together