Questions tagged [angularjs-sce]

Strict Contextual Escaping (SCE) is a mode in which AngularJS requires bindings in certain contexts to result in a value that is marked as safe to use for that context. One example of such a context is binding arbitrary html controlled by the user via ng-bind-html. We refer to these contexts as privileged or SCE contexts.

As of version 1.2, Angular ships with SCE enabled by default.

Note: When enabled (the default), IE<11 in quirks mode is not supported. In this mode, IE<11 allow one to execute arbitrary javascript by the use of the expression() syntax. Refer to learn more about them. You can ensure your document is in standards mode and not quirks mode by adding to the top of your HTML document.

SCE assists in writing code in way that (a) is secure by default and (b) makes auditing for security vulnerabilities such as XSS, clickjacking, etc. a lot easier.

Here's an example of a binding in a privileged context:

<input ng-model="userHtml" aria-label="User input">
<div ng-bind-html="userHtml"></div>

Notice that ng-bind-html is bound to userHtml controlled by the user. With SCE disabled, this application allows the user to render arbitrary HTML into the DIV. In a more realistic example, one may be rendering user comments, blog articles, etc. via bindings. (HTML is just one example of a context where rendering user controlled input creates security vulnerabilities.)

For the case of HTML, you might use a library, either on the client side, or on the server side, to sanitize unsafe HTML before binding to the value and rendering it in the document.

How would you ensure that every place that used these types of bindings was bound to a value that was sanitized by your library (or returned as safe for rendering by your server?) How can you ensure that you didn't accidentally delete the line that sanitized the value, or renamed some properties/fields and forgot to update the binding to the sanitized value?

To be secure by default, you want to ensure that any such bindings are disallowed unless you can determine that something explicitly says it's safe to use a value for binding in that context. You can then audit your code (a simple grep would do) to ensure that this is only done for those values that you can easily tell are safe - because they were received from your server, sanitized by your library, etc. You can organize your codebase to help with this - perhaps allowing only the files in a specific directory to do this. Ensuring that the internal API exposed by that code doesn't markup arbitrary values as safe then becomes a more manageable task.

In the case of AngularJS' SCE service, one uses $sce.trustAs (and shorthand methods such as $sce.trustAsHtml, etc.) to obtain values that will be accepted by SCE / privileged contexts.

10 questions

votes

4 answers

Make a web page with a folder of external files

Previously, I used $sce.trustAsHtml(aString) to inject a string (eg, ...) to a template

to display a graph when loading a generated URL: .state('urls', { url: '/urls/{id}', template: '

asked Mar 03 '17 at 01:48

SoftTimur

5,630
38
140
292

votes

1 answer

Why should we use $sce.trustAsResourceUrl(iframeUrl)?

I am new to AngularJS. I tried binding iframe src with Angular controller. html: controller js: $scope.iframeUrl = function(){ return "http://www.google.co.in"; }; This doesn't…

javascript angularjs angularjs-sce

asked Jan 13 '16 at 06:18

Sayuj

7,464
13
59
76

votes

1 answer

inserting iframe from trusted source in AngularJS

Trying to use ng-bind-html to insert iframe into page with AngularJS & I can't get it to work it on even the simplest form. Javascript function Ctrl($scope) { $scope.showIt = ''; } My HTML:

javascript angularjs iframe ng-bind-html angularjs-sce

asked Jan 20 '15 at 17:01

Amidude

votes

0 answers

AngularJS issue: $sce:insecurl despite $sce.trustAsResourceUrl

I have a set-up using templates from my CDN, that usually works fine but periodically I get this error: ng-error: Error: [$sce:insecurl]…

angularjs cdn angularjs-templates angularjs-sce

asked Mar 26 '19 at 17:29

MalcolmOcean

2,807
2
29
38

votes

0 answers

How to completly disable angular html escape (app wide)?

I have tried this : angular.module('dashboard').config(['$ocLazyLoadProvider', '$httpProvider', '$sceProvider', function($ocLazyLoadProvider, $httpProvider, $sceProvider) { $sceProvider.enabled(false); }]); But nothing seems to…

javascript angularjs angularjs-sce

asked Jun 12 '17 at 21:32

Geo C.

votes

1 answer

Pass html string in controller and put into .html (angular js)

I have a problem. Call my button "off" or "on" that I needed. If active status in json is 1 then button off is showing in html, so instead. But I have tried with ng-bind-html Still not working, any solution for me ? Thanks This is my code…

javascript html angularjs angularjs-bindings angularjs-sce

asked Feb 18 '17 at 07:49

userpr

votes

0 answers

Add a function to html string in link layer of directive

I got this directive which renders a list of objects. this objects got it's own function, i wanna bind it to a button. So i run over my items.In my objects value, i got a prop called Action which value is a function. i then try to add it to the html…

angularjs angularjs-directive angularjs-scope angularjs-sce

asked Mar 18 '16 at 08:57

DaCh

votes

1 answer

angularjs textarea with colors (with html5 contenteditable)

I'm trying to create an editor which does "syntax highlighting", it is rather simple: yellow -> yellow I'm also using

 html5 tag to replace , and have color output.
I started from…</div>
        <div class="grid ai-start jc-space-between fw-wrap">
            <div class="grid gs4 fw-wrap tags ">
                
                <a href="../../questions/tagged/angularjs" class="post-tag grid--cell" title="show questions tagged 'angularjs'" rel="tag">angularjs</a> 
                
                <a href="../../questions/tagged/angularjs-directive" class="post-tag grid--cell" title="show questions tagged 'angularjs-directive'" rel="tag">angularjs-directive</a> 
                
                <a href="../../questions/tagged/contenteditable" class="post-tag grid--cell" title="show questions tagged 'contenteditable'" rel="tag">contenteditable</a> 
                
                <a href="../../questions/tagged/angularjs-sce" class="post-tag grid--cell" title="show questions tagged 'angularjs-sce'" rel="tag">angularjs-sce</a> 
                
            </div>
            <div class="started mt0">
                
                    
<div class="s-user-card s-user-card">
    <time class="s-user-card--time" datetime="asked Feb 18 '16 at 16:21">asked Feb 18 '16 at 16:21</time>
    <a href="../../users/3378034/arcol" class="s-avatar s-avatar__32 s-user-card--avatar">
        <img class="s-avatar--image" src="../../users/profiles/3378034.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="arcol" />
    </a>
    <div class="s-user-card--info">
        <a href="../../users/3378034/arcol" class="s-user-card--link">arcol</a>
        <ul class="s-user-card--awards">
            <li class="s-user-card--rep" title="reputation score">1,510</li>
            <li class="s-award-bling s-award-bling__gold" title="1 gold badge">1</li>
            <li class="s-award-bling s-award-bling__silver" title="15 silver badge">15</li>
            <li class="s-award-bling s-award-bling__bronze" title="20 bronze badge">20</li>
        </ul>
    </div>
</div>

                
            </div>
        </div>
    </div>
</div>
                    </div>
                
                    <div class="mln24">
                    <div class="question-summary" id="question-summary-34518941">
    <div class="statscontainer">
        <div class="stats">
            <div class="vote">
                <div class="votes">
                    <span class="vote-count-post"><strong>0</strong></span>
                    <div class="viewcount">votes</div>
                </div>
            </div>

            <div class="status answered-accepted">
                <strong>1</strong> answer
            </div>
        </div>
    </div>
    <div class="summary">
        
        <h3><a href="../../questions/34518941/angular-download-file-from-amazon-s3-url" class="question-hyperlink">Angular Download File From Amazon S3 URL</a></h3>
        <div class="excerpt">I am unable to download an image from an Amazon S3 URL, with an anchor tag in Angular. What am I missing? 
URL
  https://s3.amazonaws.com/nationalrx/card/national_test.png

HTML
  div(ng-bind-html="trustedHtml")

CONTROLLER
  $scope.html = '<a…</div>
        <div class="grid ai-start jc-space-between fw-wrap">
            <div class="grid gs4 fw-wrap tags ">
                
                <a href="../../questions/tagged/angularjs" class="post-tag grid--cell" title="show questions tagged 'angularjs'" rel="tag">angularjs</a> 
                
                <a href="../../questions/tagged/angularjs-sce" class="post-tag grid--cell" title="show questions tagged 'angularjs-sce'" rel="tag">angularjs-sce</a> 
                
            </div>
            <div class="started mt0">
                
                    
<div class="s-user-card s-user-card">
    <time class="s-user-card--time" datetime="asked Dec 29 '15 at 20:53">asked Dec 29 '15 at 20:53</time>
    <a href="../../users/1993692/john-spiteri" class="s-avatar s-avatar__32 s-user-card--avatar">
        <img class="s-avatar--image" src="../../users/profiles/1993692.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="John Spiteri" />
    </a>
    <div class="s-user-card--info">
        <a href="../../users/1993692/john-spiteri" class="s-user-card--link">John Spiteri</a>
        <ul class="s-user-card--awards">
            <li class="s-user-card--rep" title="reputation score">564</li>
            
            <li class="s-award-bling s-award-bling__silver" title="6 silver badges">6</li>
            <li class="s-award-bling s-award-bling__bronze" title="18 bronze badges">18</li>
        </ul>
    </div>
</div>

                
            </div>
        </div>
    </div>
</div>
                    </div>
                
                    <div class="mln24">
                    <div class="question-summary" id="question-summary-30995202">
    <div class="statscontainer">
        <div class="stats">
            <div class="vote">
                <div class="votes">
                    <span class="vote-count-post"><strong>0</strong></span>
                    <div class="viewcount">votes</div>
                </div>
            </div>

            <div class="status answered-accepted">
                <strong>2</strong> answers
            </div>
        </div>
    </div>
    <div class="summary">
        
        <h3><a href="../../questions/30995202/angular-error-i-dont-understand" class="question-hyperlink">Angular error i dont understand?</a></h3>
        <div class="excerpt">I am trying to build the Menu that is here:
http://jsfiddle.net/1vgcs4we/
However when i implement it into my project i get the following error message:
Syntax Error: Token 'node.click' is unexpected, expecting [:] at column 3 of the expression…</div>
        <div class="grid ai-start jc-space-between fw-wrap">
            <div class="grid gs4 fw-wrap tags ">
                
                <a href="../../questions/tagged/javascript" class="post-tag grid--cell" title="show questions tagged 'javascript'" rel="tag">javascript</a> 
                
                <a href="../../questions/tagged/angularjs" class="post-tag grid--cell" title="show questions tagged 'angularjs'" rel="tag">angularjs</a> 
                
                <a href="../../questions/tagged/angularjs-filter" class="post-tag grid--cell" title="show questions tagged 'angularjs-filter'" rel="tag">angularjs-filter</a> 
                
                <a href="../../questions/tagged/ng-bind-html" class="post-tag grid--cell" title="show questions tagged 'ng-bind-html'" rel="tag">ng-bind-html</a> 
                
                <a href="../../questions/tagged/angularjs-sce" class="post-tag grid--cell" title="show questions tagged 'angularjs-sce'" rel="tag">angularjs-sce</a> 
                
            </div>
            <div class="started mt0">
                
                    
<div class="s-user-card s-user-card__deleted">
    <time class="s-user-card--time" datetime="asked Jun 23 '15 at 06:17">asked Jun 23 '15 at 06:17</time>
    <div class="s-avatar s-avatar__32 s-user-card--avatar">
    </div>
    <div class="s-user-card--info">user4815703</div>
</div>

                
            </div>
        </div>
    </div>
</div>
                    </div>
                

                
            </div>
        </div>

            </div>
        </div>
        <script src="../../static/js/stack-icons.js"></script>
        <script src="../../static/js/fromnow.js"></script>
        
    </body>
</html>