I am using a contentEditable div to enable users to format their articles. I do some processing on the html content and persist it.
I am using ng-bind-html
to render the result when viewers want to read the article. I don't want to use $sce.trustAsHtml
because I still want AngularJS to sanitize the user input and because I don't trust all the input. All I want is for AngularJS sanitization to allow some attributes on elements. It seems to strip ID, and data- attributes. (but keeps class and title) .
Is data- attributes considered harmful? How can an attacker may use them to attack the end user? And is there a way to use them safely and let Angular not strip them out?
Here's an example:
article.body = '<p data-guid="afasfa-afasfafas-faf-asasf" class="guid-tagged">Yes this is my article</p>';
<article ng-bind-html='article.body'></article>
Here's what Angular outputs inside the article tag (notice the stripped out data- attribute):
<p class="guid-tagged">Yes this is my article</p>
Thanks
ng-bind directive binds the AngularJS Application data to HTML tags. ng-bind updates the model created by ng-model directive to be displayed in the html tag whenever user input something in the control or updates the html control's data when model data is updated by controller.
The ng-bind-html directive is a secure way of binding content to an HTML element. When you are letting AngularJS write HTML in your application, you should check the HTML for dangerous code. By including the "angular-sanitize.
As mentioned in the comment, ng-bind-html
passes the data through a sanitizer. This sanitizer removes a number of attributes from all input passed in it. This issue may help explain more: ngSanitize issue concerning whitelisting attributes. This part of the source code includes all the attributes considered valid and therefore left untouched by ngSanitize.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With