From dae694739b9581bea5dbc53522ec00d87b26ae55 Mon Sep 17 00:00:00 2001 From: Chirayu Krishnappa Date: Fri, 19 Jul 2013 16:04:51 -0700 Subject: feat(ngBindHtml, sce): combine ng-bind-html and ng-bind-html-unsafe Changes: - remove ng-bind-html-unsafe - ng-bind-html is now in core - ng-bind-html is secure - supports SCE - so you can bind to an arbitrary trusted string - automatic sanitization if $sanitize is available BREAKING CHANGE: ng-html-bind-unsafe has been removed and replaced by ng-html-bind (which has been removed from ngSanitize.) ng-bind-html provides ng-html-bind-unsafe like behavior (innerHTML's the result without sanitization) when bound to the result of $sce.trustAsHtml(string). When bound to a plain string, the string is sanitized via $sanitize before being innerHTML'd. If $sanitize isn't available, it's logs an exception. --- src/ngSanitize/sanitize.js | 65 +++++++++++++++++++++++----------------------- 1 file changed, 32 insertions(+), 33 deletions(-) (limited to 'src/ngSanitize/sanitize.js') diff --git a/src/ngSanitize/sanitize.js b/src/ngSanitize/sanitize.js index 110b3a64..70932899 100644 --- a/src/ngSanitize/sanitize.js +++ b/src/ngSanitize/sanitize.js @@ -68,8 +68,7 @@ var ngSanitizeMinErr = angular.$$minErr('ngSanitize'); '

an html\n' + 'click here\n' + 'snippet

'; - // ng-bind-html-unsafe requires a $sce trusted value of type $sce.HTML. - $scope.getSceSnippet = function() { + $scope.deliberatelyTrustDangerousSnippet = function() { return $sce.trustAsHtml($scope.snippet); }; } @@ -78,57 +77,57 @@ var ngSanitizeMinErr = angular.$$minErr('ngSanitize'); Snippet: - + + - - - - + + + + + - - + + + + + + + + + - - - - -
FilterDirectiveHow Source Rendered
html filter - 
<div ng-bind-html="snippet">
</div>
- 		-
-
ng-bind-htmlAutomatically uses $sanitize
<div ng-bind-html="snippet">
</div>
no filter
ng-bind-htmlBypass $sanitize by explicitly trusting the dangerous value
<div ng-bind-html="deliberatelyTrustDangerousSnippet()">
</div>
ng-bindAutomatically escapes 
<div ng-bind="snippet">
</div>
unsafe html filter
<div ng-bind-html-unsafe="getSceSnippet()">
</div>
- it('should sanitize the html snippet ', function() { - expect(using('#html-filter').element('div').html()). + it('should sanitize the html snippet by default', function() { + expect(using('#bind-html-with-sanitize').element('div').html()). toBe('

an html\nclick here\nsnippet

'); }); + it('should inline raw snippet if bound to a trusted value', function() { + expect(using('#bind-html-with-trust').element("div").html()). + toBe("

an html\n" + + "click here\n" + + "snippet

"); + }); + it('should escape snippet without any filter', function() { - expect(using('#escaped-html').element('div').html()). + expect(using('#bind-default').element('div').html()). toBe("<p style=\"color:blue\">an html\n" + "<em onmouseover=\"this.textContent='PWN3D!'\">click here</em>\n" + "snippet</p>"); }); - it('should inline raw snippet if filtered as unsafe', function() { - expect(using('#html-unsafe-filter').element("div").html()). - toBe("

an html\n" + - "click here\n" + - "snippet

"); - }); - - it('should update', function($sce) { - input('snippet').enter('new text'); - expect(using('#html-filter').binding('snippet')).toBe('new text'); - expect(using('#escaped-html').element('div').html()).toBe("new <b>text</b>"); - expect(using('#html-unsafe-filter').element('div').html()).toBe('new text'); + it('should update', function() { + input('snippet').enter('new text'); + expect(using('#bind-html-with-sanitize').element('div').html()).toBe('new text'); + expect(using('#bind-html-with-trust').element('div').html()).toBe('new text'); + expect(using('#bind-default').element('div').html()).toBe("new <b onclick=\"alert(1)\">text</b>"); }); -- cgit v1.2.3