Angular set form action based on variable in scope

Question

I've been trying to setup a search form where I can inject the form action attribute.

In my form I have

<form action="{{action}}">

Then in my controller I have

$scope.action = "http://www.somesite.com"

That gives me an interpolate error because it has untrusted "http:" in the string. How do I get around this. I know I can use ng-bind-html to put html in the dom but I dont know if I can get that to work with an attribute only.

Has anyone else had this issue. I really cant think of a way around it.

Thanks

Answer 1

I agree with hooligan's answer. For some reason, $sce.trustAsURL doesn't seem to work. Instead, $sce.trustAsResourceUrl('') did work for me.

Answer 2

if you are using Angular.js 1.2 or above, you have access to the Strict Contextual Escaping Service, $sce.

SCE assists in writing code in way that (a) is secure by default and (b) makes auditing for security vulnerabilities such as XSS, clickjacking, etc. a lot easier.

within $sce, you can pass a variable to $sce.trustAsUrl(value) to obtain it's original value. So you should be able to use:

$scope.action = $sce.trustAsUrl("http://www.somesite.com");