229

ng-bind-html-unsafe在 Angular 1.2 中被移除

我正在尝试实现我需要使用的东西ng-bind-html-unsafe。在文档和 github 提交中,他们说:

当绑定到 $sce.trustAsHtml(string) 的结果时,ng-bind-html 提供类似 ng-html-bind-unsafe 的行为(innerHTML 是未经清理的结果)。

你怎么做到这一点?

4

10 回答 10

638

筛选

app.filter('unsafe', function($sce) { return $sce.trustAsHtml; });

用法

<ANY ng-bind-html="value | unsafe"></ANY>
于 2013-10-31T11:20:06.993 回答
255

那应该是:

<div ng-bind-html="trustedHtml"></div>

加上你的控制器:

$scope.html = '<ul><li>render me please</li></ul>';
$scope.trustedHtml = $sce.trustAsHtml($scope.html);

而不是旧语法,您可以在其中$scope.html直接引用变量:

<div ng-bind-html-unsafe="html"></div>

正如几位评论者指出的那样,$sce必须在控制器中注入,否则会$sce undefined出错。

 var myApp = angular.module('myApp',[]);

 myApp.controller('MyController', ['$sce', function($sce) {
    // ... [your code]
 }]);
于 2013-08-20T18:44:40.970 回答
16

就我个人而言,在进入数据库之前,我会使用一些 PHP 库来清理我的所有数据,因此我不需要另一个 XSS 过滤器。

从 AngularJS 1.0.8

directives.directive('ngBindHtmlUnsafe', [function() {
    return function(scope, element, attr) {
        element.addClass('ng-binding').data('$binding', attr.ngBindHtmlUnsafe);
        scope.$watch(attr.ngBindHtmlUnsafe, function ngBindHtmlUnsafeWatchAction(value) {
            element.html(value || '');
        });
    }
}]);

要使用:

<div ng-bind-html-unsafe="group.description"></div>

要禁用$sce

app.config(['$sceProvider', function($sceProvider) {
    $sceProvider.enabled(false);
}]);
于 2013-10-06T01:13:32.863 回答
9

var line = "<label onclick="alert(1)">aaa</label>";

1.使用过滤器

app.filter('unsafe', function($sce) { return $sce.trustAsHtml; });

使用(html):

<span ng-bind-html="line | unsafe"></span>
==>click `aaa` show alert box

2.使用ngSanitize:更安全

包括angular-sanitize.js

<script src="bower_components/angular-sanitize/angular-sanitize.js"></script>

添加ngSanitize根角度应用程序

var app = angular.module("app", ["ngSanitize"]);

使用(html):

<span ng-bind-html="line"></span>
==>click `aaa` nothing happen
于 2016-03-05T12:09:48.107 回答
7

只需创建一个过滤器就可以了。(回答 Angular 1.6)

.filter('trustHtml', [
        '$sce',
        function($sce) {
            return function(value) {
                return $sce.trustAs('html', value);
            }
        }
    ]);

并在 html 中按如下方式使用它。

<h2 ng-bind-html="someScopeValue | trustHtml"></h2>
于 2017-07-06T07:07:41.007 回答
3

如果您想恢复旧指令,可以将其添加到您的应用程序中:

指示: 

directives.directive('ngBindHtmlUnsafe', ['$sce', function($sce){
    return {
        scope: {
            ngBindHtmlUnsafe: '=',
        },
        template: "<div ng-bind-html='trustedHtml'></div>",
        link: function($scope, iElm, iAttrs, controller) {
            $scope.updateView = function() {
                $scope.trustedHtml = $sce.trustAsHtml($scope.ngBindHtmlUnsafe);
            }

            $scope.$watch('ngBindHtmlUnsafe', function(newVal, oldVal) {
                $scope.updateView(newVal);
            });
        }
    };
}]);

用法

<div ng-bind-html-unsafe="group.description"></div>

来源 - https://github.com/angular-ui/bootstrap/issues/813

于 2014-09-08T13:06:05.757 回答
3

JavaScript

$scope.get_pre = function(x) {
    return $sce.trustAsHtml(x);
};

HTML

<pre ng-bind-html="get_pre(html)"></pre>
于 2015-03-24T05:52:56.107 回答
1

对于Rails(至少在我的情况下),如果您使用angularjs-rails gem,请记住添加 sanitize 模块

//= require angular
//= require angular-sanitize

然后将其加载到您的应用程序中...

var myDummyApp = angular.module('myDummyApp', ['ngSanitize']);

然后您可以执行以下操作:

在模板上:

%span{"ng-bind-html"=>"phone_with_break(x)"}

最终:

$scope.phone_with_break = function (x) {
  if (x.phone != "") {
   return x.phone + "<br>";
  }
  return '';
}
于 2015-10-23T04:12:27.430 回答
0 
my helpful code for others(just one aspx to do text area post)::

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" Inherits="WebApplication45.WebForm1" %>

<!DOCTYPE html>

    enter code here

<html ng-app="htmldoc" xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
    <script src="angular.min.js"></script>
    <script src="angular-sanitize.min.js"></script>
    <script>
        angular.module('htmldoc', ['ngSanitize']).controller('x', function ($scope, $sce) {
            //$scope.htmlContent = '<script> (function () { location = \"http://moneycontrol.com\"; } )()<\/script> In last valid content';
            $scope.htmlContent = '';
            $scope.withoutSanitize = function () {
                return $sce.getTrustedHtml($scope.htmlContent);
            };
            $scope.postMessage = function () {
                var ValidContent = $sce.trustAsHtml($scope.htmlContent);

                //your ajax call here
            };
        });
    </script>
</head>
<body>
    <form id="form1" runat="server">
        Example to show posting valid content to server with two way binding
        <div ng-controller="x">
            <p ng-bind-html="htmlContent"></p>
            <textarea ng-model="htmlContent" ng-trim="false"></textarea>
            <button ng-click="postMessage()">Send</button>
        </div>
    </form>
</body>
</html>
于 2018-05-10T15:58:43.690 回答
0 
$scope.trustAsHtml=function(scope)
{
    return $sce.trustAsHtml(scope);
}
<p class="card-text w-100" ng-bind-html="trustAsHtml(note.redoq_csd_product_lead_note)"></p>
于 2019-10-26T20:38:16.103 回答