angularjs +跨站点脚本preventing [英] angularjs + cross-site scripting preventing
问题描述
时Angularjs发生XSS攻击的照顾。我已阅读,NG绑定照顾。但是,当我尝试做一个样品来测试,它可以让我在NG-模型的输入型插入html标签......也没有逃过的HTML标记。
Is Angularjs takes care of XSS attack. I have read that ng-bind takes care. But When i try to do a sample to test that, it allows me to insert html tags in input type with ng-model...it didn't escape the Html tags.
我有很多的投入要素在我们的页面,这与NG-模型结合,我应该怎么做,以确保如果我输入html标签,角忽略HTML /纸条标记。
I have lot of input element in our page, which binds with ng-model, what should I do to make sure if I input a html tags ,angular ignores the html/scrip tags.
恩。
<input id="name" ng-model="name"></input>
如果我输入作为
'Hello, <b>World</b>!'
$ scope.name包含我输入的内容是相同的,不排除标签。即
$scope.name contains the same what I entered ,didn't exclude the tags. i.e
var val = $scope.name;
console.log(val);
打印为相同
'Hello, <b>World</b>!'
请让我知道如何在angularjs解决这个问题。
Please let me know how to solve this in angularjs.
感谢
推荐答案
看看这里:<一href=\"http://docs.angularjs.org/api/ngSanitize/service/%24sanitize\">http://docs.angularjs.org/api/ngSanitize/service/$sanitize
如果你想逃避使用 NG-绑定
,它会呈现不跨pretation这样的标签:
If you want escape use ng-bind
, it ll render the tag without interpretation like that :
你好&LT; B&GT;世界与LT; / B&GT;
不喜欢你好全球!
你明白吗?所以NG-绑定是安全的,因为它不关心HTML标签。
Do you understand ? so ng-bind is safe because it doesn't care about HTML tags.
如果你希望你的HTML标记间preTED但安全只是用NG绑定,HTML!
If you want that your HTML tags be interpreted but safely just use ng-bind-html !
例如,如果你想显示此字符串:
For example if you want to display this string :
'Hello <b>World</b><input type="text" />'
结果将是:你好,全球,但没有输入,因为AngularJS编译器使用$消毒服务并检查HTML元素的白名单和iput无权
The result will be : Hello World but without the input because AngularJS compiler uses $sanitize service and check a whitelist of HTML elements and an iput is not authorized.
也许NG-绑定,HTML是你在找什么。
Maybe ng-bind-html is what you're looking for.
如果你只是想确保用户不能把html标签在你输入的只是使用指令NG-图案的投入!
If you just want be sure that the user can't put html tags in your input just use the directive ng-pattern on your inputs !
<一个href=\"http://docs.angularjs.org/api/ng/directive/input\">http://docs.angularjs.org/api/ng/directive/input
这需要一个正则表达式为不允许的字符在输入!
It takes a regex for allowed characters in your input !
希望它帮助!
这篇关于angularjs +跨站点脚本preventing的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!