如何使用聚合物将HTML注入模板 [英] How to inject HTML into a template with polymer
问题描述
我正在使用polymer-jsonp来执行JSONP请求,但响应有时包含html。
I'm using polymer-jsonp to perform JSONP requests, but the response sometimes contains html.
例如,假设post.content为< strong> Foo< / strong> bar
,如何显示{{post.content}},以便Foo
是大胆的?
For example, supposing that post.content is "<strong>Foo</strong> bar"
, how can I display {{post.content}} such that "Foo"
is in bold?
<polymer-element name="feed-element" attributes="">
<template>
<template repeat="{{post in posts.feed.entry}}">
<p>{{post.content}}</p>
</template>
<polymer-jsonp url="url" response="{{posts}}"></polymer-jsonp>
</template>
<script>
Polymer('feed-element', {
created: function() { },
attached: function() { },
detached: function() { },
attributeChanged: function(attrName, oldVal, newVal) { }
});
</script>
</polymer-element>
推荐答案
Polymer不会通过数据绑定标记未转义的HTML,因为它成为XSS攻击的一个漏洞。
Polymer will not stamp unescaped HTML via data-binding because it becomes a vulnerability for XSS attacks.
正在讨论如何在有限的环境下标记HTML,或允许自定义过滤,但这没有实现但是在数据层。
There are talks ongoing about making it possible to stamp HTML under limited circumstance, or to allow for customized filtering, but this is not implemented yet at the data layer.
今天可以使用额外的自定义元素做你想做的事情,但是再次被告知如果发生坏事可能会发生您将不受信任的HTML呈现到页面中。
It is possible to do what you want today using an additional custom element, but again, be advised of the potential for bad things to happen if you render untrusted HTML into your page.
这是一个显示此技术的示例:
Here is an example that shows this technique:
http://jsbin.com/durajiwo/1/edit
这篇关于如何使用聚合物将HTML注入模板的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!