[AngularJS] Html ngSanitize, $sce

Safely render arbitrary HTML snippets by using ngSanitize and $sce.

 

By default angularJS consider user's input html is danger, so if you want to display html tag on the page will show unsafe error.

To remove this error and trust user's input, we can install ngSanitize:

bower install angular-sanitize

 

var egghead = angular.module("egghead", ["ngSanitize"]);

egghead.controller("AppCtrl", function () {
    var app = this;

    app.someHtml = '<a href="http://egghead.io" style="color:red">Learn stuff!</strong>';
});
<!DOCTYPE html>
<html>
<head>
    <title>Egghead.io</title>
    <link rel="stylesheet" href="bower_components/bootstrap.css/css/bootstrap.css"/>
</head>
<body ng-app="egghead" ng-controller="AppCtrl as app">
<textarea name="" id="" cols="30" rows="10" ng-model="app.someHtml"></textarea>
<div ng-bind-html="app.someHtml"></div>
<script src="bower_components/angular/angular.js"></script>
<script src="bower_components/angular-sanitize/angular-sanitize.js"></script>
<script src="app.js"></script>
</body>
</html>

 

Then the error message has gone, but we didn't get the result which we want, we want "Learn stuff" shown  in red color:

<a href="http://egghead.io" style="color:red">Learn stuff!</strong>

 

To overcome this, we can use $sce service:

var egghead = angular.module("egghead", ["ngSanitize"]);

egghead.controller("AppCtrl", function ($sce) {
    var app = this;

    app.someHtml = $sce.trustAsHtml('<a href="http://egghead.io" style="color:red">Learn stuff!</strong>');
});

 

Also you can trust as javascript, css && url:

see here: https://docs.angularjs.org/api/ng/service/$sce

posted @ 2014-12-21 05:11  Zhentiw  阅读(884)  评论(0编辑  收藏  举报