0

I'm new to web dev. I'm using AngularJS 1.3.0. When I try using {{ things[0].embed }} to insert the embedded source video link from my database, nothing is displayed, but hardcoding the link, for example "//www.youtube.com/embed/wZZ7oFKsKzY", works. Is there something that I'm missing? Am I misusing the scope somehow? Here's another example of what I'm trying to do. If you replace the {{thing[0].embed}} with the youtube link, it works. Why doesn't it replace the {{thing[0].embed}} with the link? http://plnkr.co/edit/Udml7NIyWcUuMtYGDXNc?p=preview

//myCore.js

var coreControl = angular.module('myCore', []);

function mainController($scope, $http) {
    $scope.formData = {};

    $http.get('*')
        .success(function(data) {
            $scope.things = data;
            console.log(data);
        })
        .error(function(data) {
            console.log('Error: ' + data);
        });

    $scope.doThings = function() {
        $http.post('*', $scope.formData)
            .success(function(data) {
                $scope.formData = {};
                $scope.things   = data;
                console.log(data);
            })
            .error(function(data) {
                console.log('Error: ' + data);
            });
    };
}

//index.html  
<div ng-if="moves.length==1" class="col-sm-4 col-sm-offset-4">
        <h1> {{ things[0].name }} </h1>
        <iframe width="560" height="315" ng-src="{{ things[0].embed }}" frameborder="0" allowfullscreen></iframe>

        {{ things[0].embed }}
</div>
Soubriquet
  • 3,100
  • 10
  • 37
  • 52
  • You cannot write html directly to a view without sanitizing it first. Check this related question http://stackoverflow.com/questions/9381926/insert-html-into-view-using-angularjs – Joel Jeske May 30 '14 at 16:09
  • Why does hardcoding the link work then? – Soubriquet May 30 '14 at 16:41

2 Answers2

2

I know I joined the party late (again), but there you go:

Strict Conceptual Escaping (SCE) is an important concept in Angular should not be taken light-heartedly (if you care about the security of your app).

It is important to understand wht it means and what are the implications and dangers in calling $sce.trustAs...().

This answer gives a little insight on what is SCE and why does Angular treat resources (such as URLs) the way it does.
That answer explains the importance of client-side sanitization (this is what you by-pass by calling $sce.trustAs...() unless you are 100% sure that you can trust it).

That said, there might be better (read "safer and more maintainable") ways to achieve the same result.

E.g. $sceDelegateProvider (which is used by the $sce service to decide what is secure and what isn't) provides methods to white-list/black-list resources using string-matching (with optional wildcards) or regular expressions (not recommended).
For more info on how to populate your white-/black-list take a look here.

E.g. if you want your application to allow links from www.youtube.com, you can define your white-list like this:

.config(function ($sceDelegateProvider) {
    $sceDelegateProvider.resourceUrlWhitelist([
        'self',   // trust all resources from the same origin
        '*://www.youtube.com/**'   // trust all resources from `www.youtube.com`
    ]);
});

See, also, this updated demo.

Community
  • 1
  • 1
gkalpak
  • 47,844
  • 8
  • 105
  • 118
1

Your updated plunker

You must explicitly direct angular to trust content that could otherwise provide security holes for xss attacks. That is what the

$sce.trustResourceAsUrl()

function call is for.

Joel Jeske
  • 1,618
  • 14
  • 17
  • A little correction: `ngSrc` is **not** meant for `` elements only. It is meant for **any** element that has a `src` attribute. – gkalpak May 30 '14 at 19:40
  • Currently my control.js looks like the following: http://plnkr.co/edit/gLNzn1MxFRtGGzCIG7Ge?p=catalogue Does it matter if I have my function as a callback or not? When I tried making my function the second parameter, it didn't work. – Soubriquet May 30 '14 at 22:47
  • I dont know what callback you are talking about. Are you talking about the promises? – Joel Jeske May 30 '14 at 23:48
  • I'm not familiar with what a promise is. I'm referring to the function that is in the parameter of controller("ctrl", function....) in your plunker example. Could you take a look at the plunker code I posted above you comment? I'm not sure why my $sce.trustAsResourceUrl code doesn't work here. – Soubriquet May 31 '14 at 04:35
  • Never mind. I'm really new to this web dev stuff and AngularJS. I just got it to work. I was toying around with my code and added another controller function to do the $sce for my embedded link and then set that function as the ng-controller for the div I wanted. Thanks for all the help! :D – Soubriquet May 31 '14 at 04:58
  • "Plunk not found" - just me or this this link dead? – Brendan Oct 20 '14 at 14:38