feat(ngBindHtml, sce): combine ng-bind-html and ng-bind-html-unsafe

Changes:
- remove ng-bind-html-unsafe
- ng-bind-html is now in core
- ng-bind-html is secure
  - supports SCE - so you can bind to an arbitrary trusted string
  - automatic sanitization if $sanitize is available

BREAKING CHANGE:
  ng-html-bind-unsafe has been removed and replaced by ng-html-bind
  (which has been removed from ngSanitize.)  ng-bind-html provides
  ng-html-bind-unsafe like behavior (innerHTML's the result without
  sanitization) when bound to the result of $sce.trustAsHtml(string).
  When bound to a plain string, the string is sanitized via $sanitize
  before being innerHTML'd.  If $sanitize isn't available, it's logs an
  exception.

1 files changed, 15 insertions, 0 deletions

diff --git a/test/ng/sceSpecs.js b/test/ng/sceSpecs.js
index 16525b8d..6157fc17 100644
--- a/test/ng/sceSpecs.js
+++ b/test/ng/sceSpecs.js
@@ -341,7 +341,22 @@ describe('SCE', function() {
         expect(function() { $sce.getTrustedResourceUrl('open_redirect'); }).toThrow(
           '[$sce:isecrurl] Blocked loading resource from url not allowed by $sceDelegate policy.  URL: open_redirect');
     }));
+  });
+
+  describe('sanitizing html', function() {
+    describe('when $sanitize is NOT available', function() {
+      it('should throw an exception for getTrusted(string) values', inject(function($sce) {
+        expect(function() { $sce.getTrustedHtml('<b></b>'); }).toThrow(
+            '[$sce:unsafe] Attempting to use an unsafe value in a safe context.');
+      }));
+    });
 
+    describe('when $sanitize is available', function() {
+      beforeEach(function() { module('ngSanitize'); });
+      it('should sanitize html using $sanitize', inject(function($sce) {
+        expect($sce.getTrustedHtml('a<xxx><B>b</B></xxx>c')).toBe('a<b>b</b>c');
+      }));
+    });
   });
 });