3

I am using ngBindHtml to display some HTML from an (internal) CMS:

<span ng-bind-html="cmsHtml"></span>

The HTML contains a link with an id attribute:

"<a id='fsgPdfLink' href='http://blah/download.pdf' target='_blank'>Click here to download the PDF</a>"

However, I notice that the id attribute is removed by angular before writing the link to the page, so what gets rendered is just:

<a href='http://blah/download.pdf' target='_blank'>Click here to download the PDF</a>

Looking at the source for the ngSanitize module, it seems that for some reason the id attribute is not on the list of valid attributes:

https://github.com/angular/angular.js/blob/master/src/ngSanitize/sanitize.js#L206

  1. What's the reason for not allowing the id attribute? Is it a security risk?
  2. I'd really like to continue to use ngBindHtml if possible. Is there an API where I can add safe tags to the sanitizer's list? Or do I have to edit the source myself to add this tag?
Mike Chamberlain
  • 39,692
  • 27
  • 110
  • 158
  • 1
    I have not yet done binding HTML but in the research I've done it suggests using the $sce service, so I was going to use $sce.parseAsHtml, have you considered using that vs sanitize? – Brocco Apr 10 '14 at 05:49

1 Answers1

1

To partially answer my own question, there doesn't seem to be an API to change the built-in whitelist, as described in this open issue:

https://github.com/angular/angular.js/issues/5900

Mike Chamberlain
  • 39,692
  • 27
  • 110
  • 158