使用 ngBindHtml 注入脚本标签 [英] Injecting a script tag with ngBindHtml

问题描述

我有外部 API 数据，它是用户生成的内容.客户希望使用此提要动态更新他自己的网站，包括使用 JavaScript 的能力.

将显示任何 HTML 或 CSS 但不适用于 JavaScript:

"content":"<div>Hello Stack</div><script>alert('whats up?');</script>"

我试过包括 ngSanitize 以及使用 ng-bind-html-unsafe.

没有骰子.

解决方案

你必须包含 jQuery 才能工作.

经过一番搜索，我发现了 https://stackoverflow.com/a/14088380/1264846.

示例 plunkr:http://plnkr.co/edit/zEXXCB459Tp25VJiyyZb?p=preview

I have external API data which is a user generated content. The client wants to dynamically update his own site with this feed, including the ability to use JavaScript.

<div ng-bind-html="post.content"></div>

Will display anything that is HTML or CSS but does not work with JavaScript:

"content":"<div>Hello Stack</div><script>alert('whats up?');</script>"

I have tried including ngSanitize as well as using ng-bind-html-unsafe.

No dice.

解决方案

You have to include jQuery for this to work.

After some searching I came across https://stackoverflow.com/a/14088380/1264846.

Example plunkr: http://plnkr.co/edit/zEXXCB459Tp25VJiyyZb?p=preview

这篇关于使用 ngBindHtml 注入脚本标签的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！