Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why does AngularJS strip out data- attributes when using ng-bind-html?

I am using a contentEditable div to enable users to format their articles. I do some processing on the html content and persist it.

I am using ng-bind-html to render the result when viewers want to read the article. I don't want to use $sce.trustAsHtml because I still want AngularJS to sanitize the user input and because I don't trust all the input. All I want is for AngularJS sanitization to allow some attributes on elements. It seems to strip ID, and data- attributes. (but keeps class and title) .

Is data- attributes considered harmful? How can an attacker may use them to attack the end user? And is there a way to use them safely and let Angular not strip them out?

Here's an example:

article.body = '<p data-guid="afasfa-afasfafas-faf-asasf" class="guid-tagged">Yes this is my article</p>';
<article ng-bind-html='article.body'></article>

Here's what Angular outputs inside the article tag (notice the stripped out data- attribute):

<p class="guid-tagged">Yes this is my article</p>

Thanks

like image 205
mkhatib Avatar asked Dec 07 '14 22:12

mkhatib


People also ask

Does ng bind bind the application data to HTML tags in AngularJS?

ng-bind directive binds the AngularJS Application data to HTML tags. ng-bind updates the model created by ng-model directive to be displayed in the html tag whenever user input something in the control or updates the html control's data when model data is updated by controller.

What is Ng bind HTML in AngularJS?

The ng-bind-html directive is a secure way of binding content to an HTML element. When you are letting AngularJS write HTML in your application, you should check the HTML for dangerous code. By including the "angular-sanitize.


1 Answers

As mentioned in the comment, ng-bind-html passes the data through a sanitizer. This sanitizer removes a number of attributes from all input passed in it. This issue may help explain more: ngSanitize issue concerning whitelisting attributes. This part of the source code includes all the attributes considered valid and therefore left untouched by ngSanitize.

like image 58
user2604185 Avatar answered Oct 26 '22 22:10

user2604185