Suppose I have -
$scope.trustAsHtml = $sce.trustAsHtml;
<p ng-bind-html="trustAsHtml(expression)"></p>
What does the trustAsHtml could check such that its expression wouldn't displayed as trust HTML ?
Please provide me some examples .
Asked
Active
Viewed 621 times
2
URL87
- 10,667
- 35
- 107
- 174
-
Show your controller code? – Sudharsan S Jun 11 '15 at 08:20
-
It doesn't matter , I just trying to understand the `trustAsHtml` behavior. – URL87 Jun 11 '15 at 08:22
1 Answers
2
Strict Contextual Escaping (SCE) is a mode in which AngularJS requires bindings in certain contexts to result in a value that is marked as safe to use for that context. One example of such a context is binding arbitrary html controlled by the user via ng-bind-html. We refer to these contexts as privileged or SCE contexts.
Note : If you use normal html using directly bind in html using ng-bind-html. if you have some special characters found in the html means i am suggested use $sce.trustAsHtml() and bind it
For example
That should be:
<div ng-bind-html="trustedHtml"></div>
plus in your controller:
$scope.html = '<span onmouseover="this.textContent="Explicitly trusted HTML bypasses sanitization."">Hover over this text.</span>';
$scope.trustedHtml = $sce.trustAsHtml($scope.html);
Sudharsan S
- 15,336
- 3
- 31
- 49
-
But as understood , the `trustedHtml ` also check whether the passed context is safe , so which expression could be unsafe here ? – URL87 Jun 11 '15 at 08:29
-
-
You indicated that you're using Angular 1.2.0... as one of the other comments indicated, ng-bind-html-unsafe has been deprecated. – Sudharsan S Jun 11 '15 at 08:33
-
-
But you want use directive http://stackoverflow.com/questions/18926306/angularjs-ng-bind-html-unsafe-replacement like this – Sudharsan S Jun 11 '15 at 08:34
-
You miss the point of my question , I ask - which `expression` content will be blocked by the directives you mentioned ? – URL87 Jun 11 '15 at 08:36