make sure that bo-html sanitizes html #75
Conversation
|
this is something that have to be done, however in this way we force bindonce to depend on |
|
Yes I thought you might have that reservation. I have looked into it a bit more and it seems that $sce is always available and it is $sanitize that we should check for using the $injector. I have added another commit that does this and then only sanitizes the value if $sanitize is available. The end results is that bo-html will be safe by default if you are using ngSanitize (like angular itself). Does that seem like a reasonable solution? |
|
The problem is that $sceProvider exists since Angular 1.2 but older versions must use $sanitize, this should be the check to do in order to sanitize the html content. |
|
Ah OK - back to the drawing board then... |
|
improve safe role,that good think, +1. |
|
This is a very important issue I think. Not every user is aware of XSS problems when displaying user input, even more with angular.js' approach to sanitize everything by default. What angular versions do you want bindonce to support @Pasvaz? I am willing to contribute a patch for this issue. |
We were finding that if we used bo-html using html strings that contained scripts for example then those scripts would not be stripped as they would with ng-bind-html.
I'm not sure if this change is something that can be smoothly merged or if there is some reason it is as it is. Particularly not sure if this works in the absence of ngSanitize module.