ng-bind-html is empty

Question

I've put a JSfiddle here so you can see code that is actually working...

Unfortunately this does not work on my local machine even though everything else does (I have other angular code running fine).

On my local machine I only see my html in the output if i use..

ng-bind-html-unsafe="message.content"

instead of...

ng-bind-html="message.content"

So, on JSfiddle it works when I leave the "unsafe" off, but on my local machine the unsafe has to be there, which seems undesirable from a security point of view.

I am loading the same version of Angular and sanitize, in the same order and my code I think is identical, only the environment seems to be different.

Any ideas?

Maybe you forget to load the ngSanitize module? var myApp = angular.module('myApp',['ngSanitize']); — asgoth, Dec 26 '12 at 21:53
One other thing. ngSanitize is in a different javascript file. Did you load it in your page? — asgoth, Dec 26 '12 at 21:55
Yep, it's loaded and working, otherwise the unsafe version wouldn't work. It only stops working (blank output) when I remove the -unsafe — jonhobbs, Dec 26 '12 at 22:02
Yes, the div is rendered but empty as in your example. I see you changed ngSanitize to just ng when injecting into the module. Mine is correct however, I copied and pasted directly from the working fiddle. — jonhobbs, Dec 26 '12 at 22:15
Did you load angular-sanitize.js in the correct order (after angular.js)? — asgoth, Dec 26 '12 at 22:18
Yeah, version 1.0.3 from google APIs, followed by sanitize version 1.0.3 from the same source, followed by my local file javascript/controllers.js — jonhobbs, Dec 26 '12 at 22:22
Like I say, I think it's all being loaded correctly because it works when i use -unsafe. The safe version produces an empty div tag though. — jonhobbs, Dec 26 '12 at 22:23
let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/21734/discussion-between-asgoth-and-jonhobbs) — asgoth, Dec 26 '12 at 22:30

score 5 · Accepted Answer · answered Dec 26 '12 at 22:42

5

You need to add your module to ng-app:

<html ng-app='myApp'>
...

If you don't specify this, angular will only load module 'ng', not ng-sanitize. ng-bind-unsafe is in module ng, not ng-sanitize, which is why this accidently worked.

answered Dec 26 '12 at 22:42

asgoth

35,552
12
89
98

Thank you asgoth, and thanks for taking the time to help me in the chat room :) – jonhobbs Dec 26 '12 at 22:44

score 0 · Answer 2 · edited May 23 '17 at 11:58

0

Apparently in new version of AngularJS 1.2+ they change it, since then you have to use trustAsHtml() method to disable Html escaping.

Solution can be find here

edited May 23 '17 at 11:58

Community

1
1

answered Jun 02 '15 at 11:03

mrosiak

2,547
1
14
7

ng-bind-html is empty

2 Answers2