Accepting html safely in angularjs

Asked May 31 '18 at 18:38

Active May 31 '18 at 21:38

Viewed 47 times

I need to accept html input (template) from user. I need to then compile it using angular's $interpolate function. So when I get the html from user, I do this.

let $interpolate = this.$injector.get('$interpolate');
let $sanitize = this.$injector.get('$sanitize');
let html = $sanitize(toReturnStyles.cellTemplate);
 el = $interpolate(html)(params);

Then I checked adding , I am good, alert didn't work. But then I put following code in the inputbox and I saw alerts.

{{constructor.constructor('alert(1)')()}}

Please help me implement this usecase correctly.

asked May 31 '18 at 18:38

Ganesh Nemade

1,504
12
17

Which version of AngularJS are you using? The sandbox was removed with V1.6. For more information, see [AngularJS Blog - Angular 1.6 - Expression Sandbox Removal](https://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html). [Also](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs). – georgeawg May 31 '18 at 22:27
I am using version 1.6.7 – Ganesh Nemade May 31 '18 at 23:02

Accepting html safely in angularjs

0 Answers0