forked from angular/code.angularjs.org
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathangular.filter.html.html
97 lines (92 loc) · 4.54 KB
/
angular.filter.html.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
<h1>angular.filter.html</h1>
<div class="angular-filter-html"><fieldset class="workInProgress"><legend>Work in Progress</legend>
This page is currently being revised. It might be incomplete or contain inaccuracies.</fieldset>
<h2>Description</h2>
<div class="description"><p>Prevents the input from getting escaped by angular. By default the input is sanitized and
inserted into the DOM as is.</p>
<p>The input is sanitized by parsing the html into tokens. All safe tokens (from a whitelist) are
then serialized back to properly escaped html string. This means that no unsafe input can make
it into the returned string, however since our parser is more strict than a typical browser
parser, it's possible that some obscure input, which would be recognized as valid HTML by a
browser, won't make it through the sanitizer.</p>
<p>If you hate your users, you may call the filter with optional 'unsafe' argument, which bypasses
the html sanitizer, but makes your application vulnerable to XSS and other attacks. Using this
option is strongly discouraged and should be used only if you absolutely trust the input being
filtered and you can't get the content through the sanitizer.</p></div>
<h2>Usage</h2>
<div class="usage"><h3>In HTML Template Binding</h3>
<div class="in-html-template-binding"><code ng:non-bindable="">{{ html_expression | html[:option] }}</code>
</div>
<h3>In JavaScript</h3>
<div class="in-javascript"><code ng:non-bindable="">angular.filter.html(html[, option])</code>
</div>
<h3>Parameters</h3>
<ul class="parameters"><li><code ng:non-bindable="">html – {string} – </code>
<p>Html input.</p></li>
<li><code ng:non-bindable="">option<i>(optional)</i> – {string} – </code>
<p>If 'unsafe' then do not sanitize the HTML input.</p></li>
</ul>
<h3>Returns</h3>
<div class="returns"><code ng:non-bindable="">{string}</code>
– <p>Sanitized or raw html.</p></div>
</div>
<h2>Example</h2>
<div class="example"><doc:example>
<pre class="doc-source">
Snippet: <textarea name="snippet" cols="60" rows="3">
&lt;p style="color:blue"&gt;an html
&lt;em onmouseover="this.textContent='PWN3D!'"&gt;click here&lt;/em&gt;
snippet&lt;/p&gt;</textarea>
<table>
<tr>
<td>Filter</td>
<td>Source</td>
<td>Rendered</td>
</tr>
<tr id="html-filter">
<td>html filter</td>
<td>
<pre>&lt;div ng:bind="snippet | html"&gt;<br/>&lt;/div&gt;</pre>
</td>
<td>
<div ng:bind="snippet | html"></div>
</td>
</tr>
<tr id="escaped-html">
<td>no filter</td>
<td><pre>&lt;div ng:bind="snippet"&gt;<br/>&lt;/div&gt;</pre></td>
<td><div ng:bind="snippet"></div></td>
</tr>
<tr id="html-unsafe-filter">
<td>unsafe html filter</td>
<td><pre>&lt;div ng:bind="snippet | html:'unsafe'"&gt;<br/>&lt;/div&gt;</pre></td>
<td><div ng:bind="snippet | html:'unsafe'"></div></td>
</tr>
</table>
</pre>
<pre class="doc-scenario">
it('should sanitize the html snippet ', function(){
expect(using('#html-filter').binding('snippet | html')).
toBe('<p>an html\n<em>click here</em>\nsnippet</p>');
});
it('should escape snippet without any filter', function() {
expect(using('#escaped-html').binding('snippet')).
toBe("&lt;p style=\"color:blue\"&gt;an html\n" +
"&lt;em onmouseover=\"this.textContent='PWN3D!'\"&gt;click here&lt;/em&gt;\n" +
"snippet&lt;/p&gt;");
});
it('should inline raw snippet if filtered as unsafe', function() {
expect(using('#html-unsafe-filter').binding("snippet | html:'unsafe'")).
toBe("<p style=\"color:blue\">an html\n" +
"<em onmouseover=\"this.textContent='PWN3D!'\">click here</em>\n" +
"snippet</p>");
});
it('should update', function(){
input('snippet').enter('new <b>text</b>');
expect(using('#html-filter').binding('snippet | html')).toBe('new <b>text</b>');
expect(using('#escaped-html').binding('snippet')).toBe("new &lt;b&gt;text&lt;/b&gt;");
expect(using('#html-unsafe-filter').binding("snippet | html:'unsafe'")).toBe('new <b>text</b>');
});
</pre>
</doc:example></div>
</div>