create HTML sanitizer to allow inclusion of untrusted HTML in safe manner.

Sanitization works in two phases:
 1) We parse the HTML into sax-like events (start, end, chars).
    HTML parsing is very complex, and so it may very well be that what
    most browser consider valid HTML may not pares properly here,
    but we do best effort. We treat this parser as untrusted.
 2) We have safe sanitizeWriter which treats its input (start, end, chars)
    as untrusted content and escapes everything. It only allows elements
    in the whitelist and only allows attributes which are whitelisted.
    Any attribute value must not start with 'javascript:'. This check
    is performed after escaping for entity (&xAB; etc..) and ignoring
    any whitespace.

 - Correct linky filter to use safeHtmlWriter
 - Correct html filter to use safeHtmlWriter

Close #33; Close #34

1 files changed, 8 insertions, 1 deletions

diff --git a/test/directivesSpec.js b/test/directivesSpec.js
index 0e99a63f..34dcbf8d 100644
--- a/test/directivesSpec.js
+++ b/test/directivesSpec.js
@@ -50,11 +50,18 @@ describe("directives", function(){
 
     it('should set html', function() {
       var scope = compile('<div ng:bind="html|html"></div>');
-      scope.html = '<div>hello</div>';
+      scope.html = '<div unknown>hello</div>';
       scope.$eval();
       expect(lowercase(element.html())).toEqual('<div>hello</div>');
     });
 
+    it('should set unsafe html', function() {
+      var scope = compile('<div ng:bind="html|html:\'unsafe\'"></div>');
+      scope.html = '<div onclick="">hello</div>';
+      scope.$eval();
+      expect(lowercase(element.html())).toEqual('<div onclick="">hello</div>');
+    });
+
     it('should set element element', function() {
       angularFilter.myElement = function() {
         return jqLite('<a>hello</a>');