Ng-News 25/49: Signal Forms & @angular/aria
Source: Dev.to
Signal Forms at Angular Q&A
The December edition of the Angular Q&A session featured three members of the Angular team—Mark Thompson, Jeremy Elbourn, and Kirill Cherkashin—and focused mainly on Signal Forms.
Signal Forms were released in v21 as experimental. Kirill noted that he doesn’t expect huge changes for Signal Forms and that feedback so far has been about edge cases. He also mentioned that Signal Forms are already used inside internal Google applications, but because of the experimental status, not all edge cases have been accounted for, and the team may introduce breaking changes.
Other questions covered advanced features for the DateTimePicker in Angular Material. Jeremy explained that there are issues with different locales and that these features will eventually require the Temporal API to land in browsers.
A question about selector‑less components—using a component’s class name instead of its selector in templates—was answered: selector‑less is currently down‑prioritized due to the team’s focus on AI work.
Signal Forms at Angular Air
Angular Air hosted a podcast where Sander Elias gave an overview of Signal Forms. He presented a complex “kitchen‑sink” forms example, and the source code for his example is available.
@angular/aria at Angular Air
Wagner Maciel from the Angular team appeared on Angular Air to discuss @angular/aria, which was also released in Angular 21.
@angular/ariais a set of headless (completely unstyled) accessibility primitives. It provides roles such as combobox, menu, and grid, taking responsibility for implementing accessibility behind those rules.
A notable feature is that @angular/aria can be used outside of Angular, provided the framework supports Signals. Currently, it is used in Google’s internal framework Wiz.
Angular Material is unlikely to be directly based on @angular/aria; instead, new Angular Material components will probably be built using @angular/aria under the hood.
PrimeNg 21
PrimeNG was released for Angular 21, bringing more than just dependency updates. According to the changelog, it now:
- Supports zoneless operation
- Provides an easy way to pass through properties to the underlying DOM element (e.g.,
aria-*ordata-*prefixes) - Introduces unstyled components, similar to what Angular CDK offers
Earlier plans for a second edition called PrimeNgx have been dropped, with the focus now fully on PrimeNG itself.
PrimeNG v21 discussion on Reddit
Security Advisories
XSRF Token Leak Scenario
When using HttpClient to send a request, Angular checks whether the request targets the same origin as the application. For relative URLs, HttpClient automatically adds an XSRF token to the header to verify the request originated from the user.
A reported issue caused this token to leak because protocol‑relative URLs (starting with //) were incorrectly treated as internal relative URLs. Angular versions 19, 20, and 21 have been patched.
GitHub Advisory GHSA-58c5-g7wp-6w37
XSS Vulnerability via Templates
Another security issue was discovered in the Angular template system: certain SVG attributes bypassed sanitization, potentially allowing attackers to inject malicious JavaScript. This vulnerability has been resolved in all currently supported major versions (19, 20, and 21).