How does angular escape bound values?

Question

Let's take this simple angular snippet:

<input type="text" ng-model="name" />
<p>Hello {{name}}</p>

If I enter the text <script>document.write("Hello World!");</script> it looks as this is not executed but displayed as is. But if have a look at the generated HTML I see the script tag without any escapes.

I expected to see the angular brackets as HTML escape characters. So how does angular make sure this code is not executed?

(See Plunker http://plnkr.co/DeUCP74RZSGE2ypLqyRY)

Possible duplicate of [AngularJS: Insert HTML from a string](http://stackoverflow.com/questions/14761724/angularjs-insert-html-from-a-string) — AncientSwordRage, Jul 19 '16 at 15:29
Check the [angular's $sce service](https://docs.angularjs.org/api/ng/service/$sce) — MMhunter, Jul 19 '16 at 15:29

score 3 · Accepted Answer · answered Jul 19 '16 at 15:28

It is actually html encoding it, which is why it isn't running. If you're using the chrome dev tools, it is showing them as regular angle brackets just for readability.

If you right click on the value and click "Edit as HTML", you'll see the content html encoded.

How does angular escape bound values?

1 Answers1