aboutsummaryrefslogtreecommitdiffstats
path: root/src/ng/interpolate.js
AgeCommit message (Collapse)Author
2013-06-24fix($compile): reject multi-expression interpolations for src attributeChirayu Krishnappa
BREAKING CHANGE: Concatenating expressions makes it hard to reason about whether some combination of concatenated values are unsafe to use and could easily lead to XSS. By requiring that a single expression be used for *[src/ng-src] such as iframe[src], object[src], etc. (but not img[src/ng-src] since that value is sanitized), we ensure that the value that's used is assigned or constructed by some JS code somewhere that is more testable or make it obvious that you bound the value to some user controlled value. This helps reduce the load when auditing for XSS issues. To migrate your code, follow the example below: Before: JS: scope.baseUrl = 'page'; scope.a = 1; scope.b = 2; HTML: <!-- Are a and b properly escaped here? Is baseUrl controlled by user? --> <iframe src="{{baseUrl}}?a={{a}&b={{b}}"> After: JS: var baseUrl = "page"; scope.getIframeSrc = function() { // There are obviously better ways to do this. The // key point is that one will think about this and do // it the right way. var qs = ["a", "b"].map(function(value, name) { return encodeURIComponent(name) + "=" + encodeURIComponent(value); }).join("&"); // baseUrl isn't on scope so it isn't bound to a user // controlled value. return baseUrl + "?" + qs; } HTML: <iframe src="{{getIframeSrc()}}">
2013-06-17chore(minErr): replace ngError with minErrKen Sheedlo
2013-05-24feat(ngError): add error message compression and better error messagesIgor Minar
- add toThrowNg matcher
2012-08-30feat($interpolate): provide contextual error messagesBrian Ford
if an exception occurs during interpolation of a string (e.g. name() in "Hello, {{name()}}!" throws an exception) we now print an error message with the expression that was being evaluated when the exception was thrown.
2012-08-13feat($interpolate): expose start/end symbols in run phaseIgor Minar
previously the startSymbol() and endSymbol() getters were exposed only via provider in the config phase
2012-08-13docs($interpolateProvider): fixing docsIgor Minar
2012-08-13fix($interpolate): $interpolateProvider.endSymbol() returns startSymbolIgor Minar
I also added missing tests.
2012-08-13docs($interpolate): fix typo in descriptionIgor Minar
2012-06-12docs(*): simplify doc urlsIgor Minar
we now have two types of namespaces: - true namespace: angular.* - used for all global apis - virtual namespace: ng.*, ngMock.*, ... - used for all DI modules the virual namespaces have services under the second namespace level (e.g. ng.) and filters and directives prefixed with filter: and directive: respectively (e.g. ng.filter:orderBy, ng.directive:ngRepeat) this simplifies urls and makes them a lot shorter while still avoiding name collisions
2012-03-28chore(module): move files around in preparation for more modulesMisko Hevery
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-04 18:01:43 +0000