I'm submitting a ...

• regression from 1.7.0
• security issue
• issue caused by a new browser version
• other: .

Current behavior:
Currently, $setViewValue(value) function accepts objects as a value, but requires them to be a angular.copy of the previous object - since otherwise it will not detect the change (no deep comparison). This is expected and documented behaviour. The opposite function, however, $processModelValue() function cannot properly process the $modelValue which is an object (an end result of the $setViewValue(object) function above), even though it implicitly should. It improperly treats it as a simple type, and within the $$format() function makes new $viewValue and $modelValue be the two references to the same object with properties - and therefore all $formatters also affect $modelValue where they should not - which affects $validators and causes them to fail where they should succeed.

This means that $modelValue object is being stored directly from user input, circumventing parsers altogether - which is a security concern.

Expected behavior:
The $processModelValue() and consequently $$format() functions should properly detect if the $modelValue is an object, and ensure that formatters only act on a copy of the original $modelValue object, which copy the $$format() function should return.

Minimal reproduction of the problem with instructions:

AngularJS version: 1.7.9

Browser: should be affecting ALL browsers, explicitly observed in Chrome 81

Anything else:
Can be fixed by replacing the line 1042 of ngModel.js file:
From:
var viewValue = this.$modelValue;
To:
var viewValue = angular.copy(this.$modelValue);