TechQA.

Which expression wouldn't pass $sce.trustAsHtml sanitize?

697 views Asked by At

Suppose I have - 

$scope.trustAsHtml = $sce.trustAsHtml; 

<p ng-bind-html="trustAsHtml(expression)"></p>

What does the trustAsHtml could check such that its expression wouldn't displayed as trust HTML ?

Please provide me some examples .

angularjs ng-bind-html
Original Q&A
1

There are 1 answers

6
Sudharsan S On

Strict Contextual Escaping (SCE) is a mode in which AngularJS requires bindings in certain contexts to result in a value that is marked as safe to use for that context. One example of such a context is binding arbitrary html controlled by the user via ng-bind-html. We refer to these contexts as privileged or SCE contexts.

Note : If you use normal html using directly bind in html using ng-bind-html. if you have some special characters found in the html means i am suggested use $sce.trustAsHtml() and bind it

For example

That should be:

<div ng-bind-html="trustedHtml"></div>

plus in your controller:

$scope.html = '<span onmouseover="this.textContent=&quot;Explicitly trusted HTML bypasses sanitization.&quot;">Hover over this text.</span>';
$scope.trustedHtml = $sce.trustAsHtml($scope.html);

Related Questions in ANGULARJS

Related Questions in NG-BIND-HTML

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions