0

I wish to escape the contents of the user entered value, so they show up as html entities. i.e. < would show up in the HTML markup as &lt;. But I want to wrap the user entered value with actual html. The idea is that I should be able to escape the user entered value, yet still trust the html.

Here is my html snippet: <span ng-bind-html="trustHtml(notif.getConditionText())"></span>

Controller:

$scope.trustHtml = function(html) {
    return $sce.trustAsHtml(html);
}

Notif:

getConditionText: function() {
    return "<b>" + $sanitize(this.name) + "</b>";
}

I'm looking for a function that would go in place of $sanitize that would escape the user entered "name" property value. i.e. if they entered Seattle <rocks> it would output the html as Seattle &lt;rocks&gt;

Anyone know of something like this for angular?

Note I am not trying to encode to URI entities, but HTML entities.

Steven M
  • 574
  • 3
  • 18
  • 1
    possible duplicate of [Encode URL in JavaScript?](http://stackoverflow.com/questions/332872/encode-url-in-javascript) – xathien Mar 30 '15 at 21:39
  • So you just want to [escape HTML special characters](http://stackoverflow.com/questions/6234773/can-i-escape-html-special-chars-in-javascript)? – Blazemonger Mar 30 '15 at 21:42
  • possible duplicate of [Encode html entities in javascript](http://stackoverflow.com/questions/18749591/encode-html-entities-in-javascript) – Artyom Neustroev Mar 30 '15 at 21:42
  • 1
    Yes, that's what I'm looking for, but I am hoping for an "angular best practice" way of doing it. It seems like there should be something out there, what with the $sce and $sanitize providers – Steven M Mar 30 '15 at 21:44

1 Answers1

0

Well, I found this: Convert special characters to HTML in Javascript

where u can write a function like:

function HtmlEncode(s)
{
  var el = document.createElement("div");
  el.innerText = el.textContent = s;
  s = el.innerHTML;
  return s;
}

and get it encoded. Now, I didn't found something specific to angularjs.

I hope it helps

Community
  • 1
  • 1
Giovanni Perillo
  • 49
  • 5
  • I'm hesitant to use this due to potential XSS attacks injecting into the DOM... can anyone comment on its secure usage? – Steven M Apr 02 '15 at 16:06