发表新帖
发表新帖

How do you use $sce.trustAsHtml(string) to replicate ng-bind-html-unsafe in Angular 1.2+

前端 未结
关注
10 1440
别跟我提以往
别跟我提以往 2020-11-22 03:51

ng-bind-html-unsafe was removed in Angular 1.2

I\'m trying to implement something where I need to use ng-bind-html-unsafe. In the docs and

相关标签:
10条回答
  • 旧巷少年郎
    2020-11-22 04:04

    var line = "<label onclick="alert(1)">aaa</label>";

    1. use filter

    app.filter('unsafe', function($sce) { return $sce.trustAsHtml; });

    using (html):

    <span ng-bind-html="line | unsafe"></span>
==>click `aaa` show alert box

    2. use ngSanitize : safer

    include angular-sanitize.js

    <script src="bower_components/angular-sanitize/angular-sanitize.js"></script>

    add ngSanitize in root angular app

    var app = angular.module("app", ["ngSanitize"]);

    using (html):

    <span ng-bind-html="line"></span>
==>click `aaa` nothing happen
    0 讨论(0)
  • 小蘑菇
    2020-11-22 04:06 
    $scope.trustAsHtml=function(scope)
{
    return $sce.trustAsHtml(scope);
}
<p class="card-text w-100" ng-bind-html="trustAsHtml(note.redoq_csd_product_lead_note)"></p>
    0 讨论(0)
  • 广开言路
    2020-11-22 04:12

    For Rails (at least in my case) if you are using the angularjs-rails gem, please remember to add the sanitize module

    //= require angular
//= require angular-sanitize

    And then load it up in your app...

    var myDummyApp = angular.module('myDummyApp', ['ngSanitize']);

    Then you can do the following:

    On the template:

    %span{"ng-bind-html"=>"phone_with_break(x)"}

    And eventually:

    $scope.phone_with_break = function (x) {
  if (x.phone != "") {
   return x.phone + "<br>";
  }
  return '';
}
    0 讨论(0)
  • 我寻月下人不归
    2020-11-22 04:14

    Personally I sanitize all my data with some PHP libraries before going into the database so there's no need for another XSS filter for me.

    From AngularJS 1.0.8

    directives.directive('ngBindHtmlUnsafe', [function() {
    return function(scope, element, attr) {
        element.addClass('ng-binding').data('$binding', attr.ngBindHtmlUnsafe);
        scope.$watch(attr.ngBindHtmlUnsafe, function ngBindHtmlUnsafeWatchAction(value) {
            element.html(value || '');
        });
    }
}]);

    To use:

    <div ng-bind-html-unsafe="group.description"></div>

    To disable $sce:

    app.config(['$sceProvider', function($sceProvider) {
    $sceProvider.enabled(false);
}]);
    0 讨论(0)
  • 北恋
    2020-11-22 04:15

    That should be:

    <div ng-bind-html="trustedHtml"></div>

    plus in your controller:

    $scope.html = '<ul><li>render me please</li></ul>';
$scope.trustedHtml = $sce.trustAsHtml($scope.html);

    instead of old syntax, where you could reference $scope.html variable directly:

    <div ng-bind-html-unsafe="html"></div>

    As several commenters pointed out, $sce has to be injected in the controller, otherwise you will get $sce undefined error.

     var myApp = angular.module('myApp',[]);

 myApp.controller('MyController', ['$sce', function($sce) {
    // ... [your code]
 }]);
    0 讨论(0)
  • 温柔的废话
    2020-11-22 04:18

    Filter

    app.filter('unsafe', function($sce) { return $sce.trustAsHtml; });

    Usage

    <ANY ng-bind-html="value | unsafe"></ANY>
    0 讨论(0)
 看不清?
提交回复
热议问题