angularjs +跨站点脚本preventing [英] angularjs + cross-site scripting preventing

问题描述

时Angularjs发生XSS攻击的照顾。我已阅读，NG绑定照顾。但是，当我尝试做一个样品来测试，它可以让我在NG-模型的输入型插入html标签......也没有逃过的HTML标记。

Is Angularjs takes care of XSS attack. I have read that ng-bind takes care. But When i try to do a sample to test that, it allows me to insert html tags in input type with ng-model...it didn't escape the Html tags.

我有很多的投入要素在我们的页面，这与NG-模型结合，我应该怎么做，以确保如果我输入html标签，角忽略HTML /纸条标记。

I have lot of input element in our page, which binds with ng-model, what should I do to make sure if I input a html tags ,angular ignores the html/scrip tags.

恩。

<input id="name" ng-model="name"></input>

如果我输入作为

'Hello, <b>World</b>!'

$ scope.name包含我输入的内容是相同的，不排除标签。即

$scope.name contains the same what I entered ,didn't exclude the tags. i.e

  var val = $scope.name;
  console.log(val); 

打印为相同

'Hello, <b>World</b>!'

请让我知道如何在angularjs解决这个问题。

Please let me know how to solve this in angularjs.

感谢

推荐答案

看看这里：<一href=\"http://docs.angularjs.org/api/ngSanitize/service/%24sanitize\">http://docs.angularjs.org/api/ngSanitize/service/$sanitize

如果你想逃避使用 NG-绑定，它会呈现不跨pretation这样的标签：

If you want escape use ng-bind, it ll render the tag without interpretation like that :

你好＆LT; B＆GT;世界与LT; / B＆GT; 不喜欢你好全球！

你明白吗？所以NG-绑定是安全的，因为它不关心HTML标签。

Do you understand ? so ng-bind is safe because it doesn't care about HTML tags.

如果你希望你的HTML标记间preTED但安全只是用NG绑定，HTML！

If you want that your HTML tags be interpreted but safely just use ng-bind-html !

例如，如果你想显示此字符串：

For example if you want to display this string :

'Hello <b>World</b><input type="text" />'

结果将是：你好，全球，但没有输入，因为AngularJS编译器使用$消毒服务并检查HTML元素的白名单和iput无权

The result will be : Hello World but without the input because AngularJS compiler uses $sanitize service and check a whitelist of HTML elements and an iput is not authorized.

也许NG-绑定，HTML是你在找什么。

Maybe ng-bind-html is what you're looking for.

如果你只是想确保用户不能把html标签在你输入的只是使用指令NG-图案的投入！

If you just want be sure that the user can't put html tags in your input just use the directive ng-pattern on your inputs !

<一个href=\"http://docs.angularjs.org/api/ng/directive/input\">http://docs.angularjs.org/api/ng/directive/input

这需要一个正则表达式为不允许的字符在输入！

It takes a regex for allowed characters in your input !

希望它帮助！

这篇关于angularjs +跨站点脚本preventing的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！