From dae694739b9581bea5dbc53522ec00d87b26ae55 Mon Sep 17 00:00:00 2001
From: Chirayu Krishnappa
Date: Fri, 19 Jul 2013 16:04:51 -0700
Subject: feat(ngBindHtml, sce): combine ng-bind-html and ng-bind-html-unsafe
Changes:
- remove ng-bind-html-unsafe
- ng-bind-html is now in core
- ng-bind-html is secure
- supports SCE - so you can bind to an arbitrary trusted string
- automatic sanitization if $sanitize is available
BREAKING CHANGE:
ng-html-bind-unsafe has been removed and replaced by ng-html-bind
(which has been removed from ngSanitize.) ng-bind-html provides
ng-html-bind-unsafe like behavior (innerHTML's the result without
sanitization) when bound to the result of $sce.trustAsHtml(string).
When bound to a plain string, the string is sanitized via $sanitize
before being innerHTML'd. If $sanitize isn't available, it's logs an
exception.
---
test/ng/directive/ngBindSpec.js | 41 ++++++++++++++++++++++-------------------
1 file changed, 22 insertions(+), 19 deletions(-)
(limited to 'test/ng/directive')
diff --git a/test/ng/directive/ngBindSpec.js b/test/ng/directive/ngBindSpec.js
index 1d8f8ef4..be68464f 100644
--- a/test/ng/directive/ngBindSpec.js
+++ b/test/ng/directive/ngBindSpec.js
@@ -67,19 +67,14 @@ describe('ngBind*', function() {
});
- describe('ngBindHtmlUnsafe', function() {
-
- function configureSce(enabled) {
- module(function($provide, $sceProvider) {
- $sceProvider.enabled(enabled);
- });
- };
-
+ describe('ngBindHtml', function() {
describe('SCE disabled', function() {
- beforeEach(function() {configureSce(false)});
+ beforeEach(function() {
+ module(function($sceProvider) { $sceProvider.enabled(false); });
+ });
- it('should set unsafe html', inject(function($rootScope, $compile) {
- element = $compile('')($rootScope);
+ it('should set html', inject(function($rootScope, $compile) {
+ element = $compile('')($rootScope);
$rootScope.html = 'hello
';
$rootScope.$digest();
expect(angular.lowercase(element.html())).toEqual('hello
');
@@ -88,27 +83,35 @@ describe('ngBind*', function() {
describe('SCE enabled', function() {
- beforeEach(function() {configureSce(true)});
-
- it('should NOT set unsafe html for untrusted values', inject(function($rootScope, $compile) {
- element = $compile('')($rootScope);
+ it('should NOT set html for untrusted values', inject(function($rootScope, $compile) {
+ element = $compile('')($rootScope);
$rootScope.html = 'hello
';
expect($rootScope.$digest).toThrow();
}));
- it('should NOT set unsafe html for wrongly typed values', inject(function($rootScope, $compile, $sce) {
- element = $compile('')($rootScope);
+ it('should NOT set html for wrongly typed values', inject(function($rootScope, $compile, $sce) {
+ element = $compile('')($rootScope);
$rootScope.html = $sce.trustAsCss('hello
');
expect($rootScope.$digest).toThrow();
}));
- it('should set unsafe html for trusted values', inject(function($rootScope, $compile, $sce) {
- element = $compile('')($rootScope);
+ it('should set html for trusted values', inject(function($rootScope, $compile, $sce) {
+ element = $compile('')($rootScope);
$rootScope.html = $sce.trustAsHtml('hello
');
$rootScope.$digest();
expect(angular.lowercase(element.html())).toEqual('hello
');
}));
+ describe('when $sanitize is available', function() {
+ beforeEach(function() { module('ngSanitize'); });
+
+ it('should sanitize untrusted html', inject(function($rootScope, $compile) {
+ element = $compile('')($rootScope);
+ $rootScope.html = 'hello
';
+ $rootScope.$digest();
+ expect(angular.lowercase(element.html())).toEqual('hello
');
+ }));
+ });
});
});
--
cgit v1.2.3