试图在我的应用程序上使用角度清洁剂实现角度清洁剂,但无法正常工作。
angular.module('sanitizeExample', ['ngSanitize'])
.controller('ExampleController', ['$scope', '$sce', function($scope, $sce) {
//$scope.snippet = "<script type='text/javascript'>alert(1)</script>";
$scope.snippet = "alert(1)";
$scope.deliberatelyTrustDangerousSnippet = function() {
return $sce.trustAsHtml($scope.snippet);
};
$scope.escape = function(input) {
return $sce.trustAsHtml(input);
}
}]);<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script src="http://ajax.googleapis.com/ajax/libs/angularjs/1.5.8/angular.min.js"></script>
<script src="http://ajax.googleapis.com/ajax/libs/angularjs/1.5.8/angular-sanitize.js"></script>
<div ng-app="sanitizeExample">
<div ng-controller="ExampleController">
Snippet: <textarea ng-model="snippet" cols="60" rows="3"></textarea>
<table>
<tr>
<td>Directive</td>
<td>How</td>
<td>Source</td>
<td>Rendered</td>
</tr>
<tr id="bind-html-with-sanitize">
<td>ng-bind-html</td>
<td>Automatically uses $sanitize</td>
<td><pre><div ng-bind-html="snippet"><br/></div></pre></td>
<td><div ng-bind-html="snippet"></div></td>
</tr>
<tr id="bind-html-with-trust">
<td>ng-bind-html</td>
<td>Bypass $sanitize by explicitly trusting the dangerous value</td>
<td>
<pre><div ng-bind-html="deliberatelyTrustDangerousSnippet()">
</div></pre>
</td>
<td><div ng-bind-html="deliberatelyTrustDangerousSnippet()"></div></td>
</tr>
<tr id="bind-default">
<td>ng-bind</td>
<td>Automatically escapes</td>
<td><pre><div ng-bind="snippet"><br/></div></pre></td> <td><div ng-bind="snippet">ggg</div></td>
</tr>
</table>
<p>{{ escape("<script type='text/javascript'>alert(1)</script>") }}</p>
</div>
</div>
引发未捕获的SyntaxError:使用脚本时无效或意外的令牌错误
$scope.snippet = "<script type='text/javascript'>alert(1)</script>"
无需脚本即可正常运行
$scope.snippet = "alert(1)"
它在浏览器中发出警报,但期望p标记的内部文本。
<p>{{ escape("<script type='text/javascript'>alert(1)</script>") }}</p>
也在html中获得输出
{{escape(“”)}}
如何通过从html模板调用控制器函数来清理具有script标签的变量。
答案 0 :(得分:1)
这可行吗?
angular.module("sanitizeExample", ['ngSanitize'])
.controller("ExampleController", ['$scope', '$sce', function($scope, $sce){
/* $scope.snippet = "alert(1)"; */
$scope.snippet = "<script " + "type='text/javascript'"+" >alert(1) <" + "/script>";
$scope.deliberatelyTrustDangerousSnippet = function(){
return $sce.trustAsHtml($scope.snippet);
};
$scope.escape = function(input) {
return $sce.trustAsHtml(input);
}
}]); <script src="http://ajax.googleapis.com/ajax/libs/angularjs/1.5.8/angular.min.js"></script>
<script src="http://ajax.googleapis.com/ajax/libs/angularjs/1.5.8/angular-sanitize.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<div ng-app="sanitizeExample">
<div ng-controller="ExampleController">
Snippet: <textarea ng-model="snippet" cols="60" rows="3"></textarea>
<table>
<tr>
<td>Directive</td>
<td>How</td>
<td>Source</td>
<td>Rendered</td>
</tr>
<tr id="bind-html-with-sanitize">
<td>ng-bind-html</td>
<td>Automatically uses $sanitize</td>
<td><pre><div ng-bind-html="snippet"><br/></div></pre></td>
<td><div ng-bind-html="snippet"></div></td>
</tr>
<tr id="bind-html-with-trust">
<td>ng-bind-html</td>
<td>Bypass $sanitize by explicitly trusting the dangerous value</td>
<td>
<pre><div ng-bind-html="deliberatelyTrustDangerousSnippet()">
</div></pre>
</td>
<td><div ng-bind-html="deliberatelyTrustDangerousSnippet()"></div></td>
</tr>
<tr id="bind-default">
<td>ng-bind</td>
<td>Automatically escapes</td>
<td><pre><div ng-bind="snippet"><br/></div></pre></td> <td><div ng-bind="snippet">ggg</div></td>
</tr>
</table>
<!--
-->
<p>{{ escape("<script type='text/javascript'>alert(1)</script>") }}</p>
</div>
</div>
答案 1 :(得分:0)
仅包含ngSanitize模块,足以在视图中进行清理。
angular.module("sanitizeExample", ['ngSanitize'])
这不是从视图中测试消毒的正确方法。它作为变量传递到角度,以便执行并发出警报。
{{ escape("<script type='text/javascript'>alert(1)</script>") }}
当我们从数据服务进行测试时,消毒功能按预期工作。