From dae694739b9581bea5dbc53522ec00d87b26ae55 Mon Sep 17 00:00:00 2001
From: Chirayu Krishnappa
Date: Fri, 19 Jul 2013 16:04:51 -0700
Subject: feat(ngBindHtml, sce): combine ng-bind-html and ng-bind-html-unsafe
Changes:
- remove ng-bind-html-unsafe
- ng-bind-html is now in core
- ng-bind-html is secure
- supports SCE - so you can bind to an arbitrary trusted string
- automatic sanitization if $sanitize is available
BREAKING CHANGE:
ng-html-bind-unsafe has been removed and replaced by ng-html-bind
(which has been removed from ngSanitize.) ng-bind-html provides
ng-html-bind-unsafe like behavior (innerHTML's the result without
sanitization) when bound to the result of $sce.trustAsHtml(string).
When bound to a plain string, the string is sanitized via $sanitize
before being innerHTML'd. If $sanitize isn't available, it's logs an
exception.
---
test/ng/sceSpecs.js | 15 +++++++++++++++
1 file changed, 15 insertions(+)
(limited to 'test/ng/sceSpecs.js')
diff --git a/test/ng/sceSpecs.js b/test/ng/sceSpecs.js
index 16525b8d..6157fc17 100644
--- a/test/ng/sceSpecs.js
+++ b/test/ng/sceSpecs.js
@@ -341,7 +341,22 @@ describe('SCE', function() {
expect(function() { $sce.getTrustedResourceUrl('open_redirect'); }).toThrow(
'[$sce:isecrurl] Blocked loading resource from url not allowed by $sceDelegate policy. URL: open_redirect');
}));
+ });
+
+ describe('sanitizing html', function() {
+ describe('when $sanitize is NOT available', function() {
+ it('should throw an exception for getTrusted(string) values', inject(function($sce) {
+ expect(function() { $sce.getTrustedHtml(''); }).toThrow(
+ '[$sce:unsafe] Attempting to use an unsafe value in a safe context.');
+ }));
+ });
+ describe('when $sanitize is available', function() {
+ beforeEach(function() { module('ngSanitize'); });
+ it('should sanitize html using $sanitize', inject(function($sce) {
+ expect($sce.getTrustedHtml('abc')).toBe('abc');
+ }));
+ });
});
});
--
cgit v1.2.3