Menu
I am getting JSON data from the server, one of the field contains escaped html (an email body actually):
<html>\r\n<head>\r\n<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">\r\n</head>\r\n<body dir="auto">\r\n<div>Buonasera, ho verificato i dati sul mio account ed il numero di cell che vi ho fornito</div>\r\n<div><br>\r\n<a (more...)
I am getting crazy at trying to render it with AngularJs.
The following is not working:
<div ng-bind-html-unsafe="mail.htmlbody"></div> Which I believe is normal because the html is in fact escaped. Should I unescape it first? Is Angular capable of unescaping html with some available service?
If I use $sce like this:
scope.mail.htmlbody = $sce.trustAsHtml(scope.mail.htmlbody); The source html is displayed, inspecting the element I can see the content is quoted. In other words in the page the source html is displayed instead of the html being rendered. Maybe I am missing something?
434
AngularJS provides reusable components.
Strict Contextual Escaping (SCE) is a mode in which AngularJS constrains bindings to only render trusted values. Its goal is to assist in writing code in a way that (a) is secure by default, and (b) makes auditing for security vulnerabilities such as XSS, clickjacking, etc.
The ng-bind-html directive is a secure way of binding content to an HTML element.
At the same time $sce service was introduced (angular 1.2), support for ng-bind-html-unsafe directive was dropped. The new directive is ng-bind-html. If you use this, the code should work as documented:
<div ng-bind-html="mail.htmlbody"></div> Use this directive:
<div ng-bind-html="mail.htmlbody"></div> Don't forget to use angular sanitize on your app module.
check here : http://docs.angularjs.org/api/ngSanitize
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
