使用 ngBindHtml 注入脚本标签 [英] Injecting a script tag with ngBindHtml
问题描述
我有外部 API 数据,它是用户生成的内容.客户希望使用此提要动态更新他自己的网站,包括使用 JavaScript 的能力.
将显示任何 HTML 或 CSS 但不适用于 JavaScript:
"content":"<div>Hello Stack</div><script>alert('whats up?');</script>"
我试过包括 ngSanitize
以及使用 ng-bind-html-unsafe
.
没有骰子.
你必须包含 jQuery 才能工作.
经过一番搜索,我发现了 https://stackoverflow.com/a/14088380/1264846.
示例 plunkr:http://plnkr.co/edit/zEXXCB459Tp25VJiyyZb?p=preview
I have external API data which is a user generated content. The client wants to dynamically update his own site with this feed, including the ability to use JavaScript.
<div ng-bind-html="post.content"></div>
Will display anything that is HTML or CSS but does not work with JavaScript:
"content":"<div>Hello Stack</div><script>alert('whats up?');</script>"
I have tried including ngSanitize
as well as using ng-bind-html-unsafe
.
No dice.
You have to include jQuery for this to work.
After some searching I came across https://stackoverflow.com/a/14088380/1264846.
Example plunkr: http://plnkr.co/edit/zEXXCB459Tp25VJiyyZb?p=preview
这篇关于使用 ngBindHtml 注入脚本标签的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!