ng-bind-html-unsafe
在 Angular 1.2 中被移除
我正在尝试实现我需要使用的东西ng-bind-html-unsafe
。在文档和 github 提交中,他们说:
当绑定到 $sce.trustAsHtml(string) 的结果时,ng-bind-html 提供类似 ng-html-bind-unsafe 的行为(innerHTML 是未经清理的结果)。
你怎么做到这一点?
ng-bind-html-unsafe
在 Angular 1.2 中被移除
我正在尝试实现我需要使用的东西ng-bind-html-unsafe
。在文档和 github 提交中,他们说:
当绑定到 $sce.trustAsHtml(string) 的结果时,ng-bind-html 提供类似 ng-html-bind-unsafe 的行为(innerHTML 是未经清理的结果)。
你怎么做到这一点?
筛选
app.filter('unsafe', function($sce) { return $sce.trustAsHtml; });
用法
<ANY ng-bind-html="value | unsafe"></ANY>
那应该是:
<div ng-bind-html="trustedHtml"></div>
加上你的控制器:
$scope.html = '<ul><li>render me please</li></ul>';
$scope.trustedHtml = $sce.trustAsHtml($scope.html);
而不是旧语法,您可以在其中$scope.html
直接引用变量:
<div ng-bind-html-unsafe="html"></div>
正如几位评论者指出的那样,$sce
必须在控制器中注入,否则会$sce undefined
出错。
var myApp = angular.module('myApp',[]);
myApp.controller('MyController', ['$sce', function($sce) {
// ... [your code]
}]);
就我个人而言,在进入数据库之前,我会使用一些 PHP 库来清理我的所有数据,因此我不需要另一个 XSS 过滤器。
从 AngularJS 1.0.8
directives.directive('ngBindHtmlUnsafe', [function() {
return function(scope, element, attr) {
element.addClass('ng-binding').data('$binding', attr.ngBindHtmlUnsafe);
scope.$watch(attr.ngBindHtmlUnsafe, function ngBindHtmlUnsafeWatchAction(value) {
element.html(value || '');
});
}
}]);
要使用:
<div ng-bind-html-unsafe="group.description"></div>
要禁用$sce
:
app.config(['$sceProvider', function($sceProvider) {
$sceProvider.enabled(false);
}]);
var line = "<label onclick="alert(1)">aaa</label>";
app.filter('unsafe', function($sce) { return $sce.trustAsHtml; });
使用(html):
<span ng-bind-html="line | unsafe"></span>
==>click `aaa` show alert box
包括angular-sanitize.js
<script src="bower_components/angular-sanitize/angular-sanitize.js"></script>
添加ngSanitize
根角度应用程序
var app = angular.module("app", ["ngSanitize"]);
使用(html):
<span ng-bind-html="line"></span>
==>click `aaa` nothing happen
只需创建一个过滤器就可以了。(回答 Angular 1.6)
.filter('trustHtml', [
'$sce',
function($sce) {
return function(value) {
return $sce.trustAs('html', value);
}
}
]);
并在 html 中按如下方式使用它。
<h2 ng-bind-html="someScopeValue | trustHtml"></h2>
如果您想恢复旧指令,可以将其添加到您的应用程序中:
指示:
directives.directive('ngBindHtmlUnsafe', ['$sce', function($sce){
return {
scope: {
ngBindHtmlUnsafe: '=',
},
template: "<div ng-bind-html='trustedHtml'></div>",
link: function($scope, iElm, iAttrs, controller) {
$scope.updateView = function() {
$scope.trustedHtml = $sce.trustAsHtml($scope.ngBindHtmlUnsafe);
}
$scope.$watch('ngBindHtmlUnsafe', function(newVal, oldVal) {
$scope.updateView(newVal);
});
}
};
}]);
用法
<div ng-bind-html-unsafe="group.description"></div>
JavaScript
$scope.get_pre = function(x) {
return $sce.trustAsHtml(x);
};
HTML
<pre ng-bind-html="get_pre(html)"></pre>
对于Rails(至少在我的情况下),如果您使用angularjs-rails gem,请记住添加 sanitize 模块
//= require angular
//= require angular-sanitize
然后将其加载到您的应用程序中...
var myDummyApp = angular.module('myDummyApp', ['ngSanitize']);
然后您可以执行以下操作:
在模板上:
%span{"ng-bind-html"=>"phone_with_break(x)"}
最终:
$scope.phone_with_break = function (x) {
if (x.phone != "") {
return x.phone + "<br>";
}
return '';
}
my helpful code for others(just one aspx to do text area post)::
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" Inherits="WebApplication45.WebForm1" %>
<!DOCTYPE html>
enter code here
<html ng-app="htmldoc" xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<script src="angular.min.js"></script>
<script src="angular-sanitize.min.js"></script>
<script>
angular.module('htmldoc', ['ngSanitize']).controller('x', function ($scope, $sce) {
//$scope.htmlContent = '<script> (function () { location = \"http://moneycontrol.com\"; } )()<\/script> In last valid content';
$scope.htmlContent = '';
$scope.withoutSanitize = function () {
return $sce.getTrustedHtml($scope.htmlContent);
};
$scope.postMessage = function () {
var ValidContent = $sce.trustAsHtml($scope.htmlContent);
//your ajax call here
};
});
</script>
</head>
<body>
<form id="form1" runat="server">
Example to show posting valid content to server with two way binding
<div ng-controller="x">
<p ng-bind-html="htmlContent"></p>
<textarea ng-model="htmlContent" ng-trim="false"></textarea>
<button ng-click="postMessage()">Send</button>
</div>
</form>
</body>
</html>
$scope.trustAsHtml=function(scope)
{
return $sce.trustAsHtml(scope);
}
<p class="card-text w-100" ng-bind-html="trustAsHtml(note.redoq_csd_product_lead_note)"></p>