如果包含
angular-sanitize脚本,则通过将HTML解析为标记来清理输入。然后将所有安全令牌(来自白名单)序列化回正确转义的html字符串。这意味着没有不安全的输入可以使其进入返回的字符串。
我在下面提供了一个受此博客文章启发的小例子。如果运行此脚本,
var app =angular.module("app", ["ngSanitize"]);则html链接将正确显示。但是,如果您注释掉该语句并取消注释var app= angular.module("app", []);,则会引发以下错误消息:Error: [$sce:unsafe] Attempting touse an unsafe value in a safe context.
<!DOCTYPE html><html><head> <link rel="icon" type="image/x-icon" href="favicon.ico"> <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.1/angular.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.1/angular-sanitize.min.js"></script> <!-- BEGIN disable refresh --> <script type="text/javascript"> //Including ngSanitize ensures html links get properly sanitized var app = angular.module("app", ["ngSanitize"]); //If you use this pre instead no html links get displayed //var app = angular.module("app", []); app.controller("mainController", function($scope) { var main = this; main.links = [ "<a href='http://google.com'>Google</a>", "<a href='http://odetopre.com'>OdeToCode</a>", "<a href='http://twitter.com'>Twitter</a>" ]; }); </script></head><body ng-app="app"> <section ng-controller="mainController as main"> <nav> <ul> <li ng-repeat="link in main.links" ng-bind-html="link"> </li> </ul> </nav> </section></body></html>
