diff options
Diffstat (limited to 'docs/content/error/parse/isecprv.ngdoc')
| -rw-r--r-- | docs/content/error/parse/isecprv.ngdoc | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/docs/content/error/parse/isecprv.ngdoc b/docs/content/error/parse/isecprv.ngdoc new file mode 100644 index 00000000..4bb02426 --- /dev/null +++ b/docs/content/error/parse/isecprv.ngdoc @@ -0,0 +1,50 @@ +@ngdoc error +@name $parse:isecprv +@fullName Referencing private Field in Expression + +@description + +Occurs when an Angular expression attempts to access a private field. + +Fields with names that begin or end with an underscore are considered +private fields. Angular expressions are not allowed to reference such +fields on the scope chain. This only applies to Angular expressions +(e.g. {{ }} interpolation and calls to `$parse` with a string expression +argument) – Javascript itself has no such notion. + +To resolve this error, use an alternate non-private field if available +or make the field public (by removing any leading and trailing +underscore characters from its name.) + +Example expression that would result in this error: + +```html +<div>{{user._private_field}}</div> +``` + +Background: +Though Angular expressions are written and controlled by the developer +and are trusted, they do represent an attack surface due to the +following two factors: + +- they typically deal with user input which is generally high risk +- they often don't get the kind of attention and test coverage that + JavaScript code would. + +If these expression were evaluated in a context with full trust, an +attacker, though unable to change the expression itself, can feed it +unexpected and dangerous input that could result in a security +breach/exploit. + +As such, Angular expressions are evaluated in a limited context. They +do not have direct access to the global scope, Window, Document, the +Function constructor or "private" properties (names beginning or ending +with an underscore character) on the scope chain. They should get their +work done via public properties and methods exposed on the scope chain +(keep in mind that this includes controllers as well as they are +published on the scope via the "controller as" syntax.) + +As a best practise, only "publish" properties on the scopes and +controllers that must be available to Angular expressions. All other +members should either be in closures or be "private" by giving them +names with a leading or trailing underscore character. |