0

Hello,

I'm working on a response system.

((1) works) So basically when someone inputs, let's say "Coleus bluei" on the input field, the data goes to a database, a checks what's the output for that, in that case is pure HTML containing the plant information, and it works perfectly...

((2) fails) Now, in other cases, lets say, when the input "facebook", the output in the database is is Javascript code, which is supposed to redirect the user directly to facebook, and in that case, angular includes the Javascript code without any problem, but it won't wont.

I'm binding the data like this:

<div ng-bind-html="eirana_knows.posicion_superior | unsafe">

and here's the application filter "unsafe":

app.filter('unsafe', function($sce) { return $sce.trustAsHtml; });

I've seen as well, that for some reason, angular will execute Javascript code embed inside an HTML structure, such as:

<a onmouseover="alert('This works fine')" href="">works</a>

But in the other hand:

<script type="text/javascript">alert('This will not work');</script>

I'm using Angular 1.5.7 and Angular Sanitize 1.4.8, from the CDN

<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.5.7/angular.min.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular-sanitize.js"></script>

Module properly loaded into the Angular app:

var app = angular.module('resonador', ['ngSanitize']);
Chris Russo
  • 450
  • 1
  • 7
  • 21
  • This looks like a duplicate: http://stackoverflow.com/questions/20297638/call-function-inside-sce-trustashtml-string-in-angular-js – Todd Miller Aug 15 '16 at 21:08
  • Yes sir! seems like it might work! 1,000 Thanks! – Chris Russo Aug 16 '16 at 10:56
  • No sir... can't make it work with plain Javascript. – Chris Russo Aug 16 '16 at 11:53
  • It might not work at all. It's pretty dangerous to allow dynamically inserted JavaScript to execute on a page. – Todd Miller Aug 16 '16 at 12:47
  • Well, the content is actually on the database, so, if they can insert the content on the database on first place... – Chris Russo Aug 16 '16 at 12:56
  • But inserting text into a database isn't the same as executing random javascript on the page. You may be able to get this to work, but I would highly advise against it. Anyone who can insert into that database can insert _any_ javascript code and you will just execute it? You're asking for trouble.... – Todd Miller Aug 16 '16 at 12:58
  • lol, I work on IT security, and, in the other hand, that table is reserved to the owners of the application, so, in any case, yes, I do understand the risk of inserting js on the database and then parsing it, but it's the same as inserting it on the html, excepting that I need more than 3,000,000 different structures... in the other hand, just thought I could make some standard models and include only instructions on the db... might make more sense. – Chris Russo Aug 16 '16 at 13:54

0 Answers0