angularjs + 跨站脚本防止 [英] angularjs + cross-site scripting preventing
问题描述
Angularjs 是否负责 XSS 攻击.我已经读过 ng-bind 会照顾.但是当我尝试做一个示例来测试它时,它允许我使用 ng-model 在输入类型中插入 html 标签......它没有转义 Html 标签.
我的页面中有很多 input 元素,它们与 ng-model 绑定,我该怎么做才能确保如果我输入了 html 标签,angular 会忽略 html/scrip 标签.
例如
如果我输入为
'你好,世界!'
$scope.name 包含与我输入的相同的内容,没有排除标签.即
var val = $scope.name;控制台日志(val);
打印相同
'你好,世界!'
请告诉我如何在 angularjs 中解决这个问题.
谢谢
看这里:http://docs.angularjs.org/api/ngSanitize/service/$sanitize
如果你想转义使用ng-bind
,它会在没有解释的情况下渲染标签:
Hello World
不像 Hello World !
你明白吗?所以 ng-bind 是安全的,因为它不关心 HTML 标签.
如果你希望你的 HTML 标签被解释但安全地使用 ng-bind-html !
例如如果你想显示这个字符串:
'Hello World'
结果将是:Hello World 但没有输入,因为 AngularJS 编译器使用 $sanitize 服务并检查 HTML 元素的白名单,并且 iput 未被授权.
也许 ng-bind-html 就是你要找的.
如果您只想确保用户不能在您的输入中放置 html 标签,只需在您的输入中使用指令 ng-pattern 即可!
http://docs.angularjs.org/api/ng/directive/input>
输入中允许的字符需要一个正则表达式!
希望能帮到你!
Is Angularjs takes care of XSS attack. I have read that ng-bind takes care. But When i try to do a sample to test that, it allows me to insert html tags in input type with ng-model...it didn't escape the Html tags.
I have lot of input element in our page, which binds with ng-model, what should I do to make sure if I input a html tags ,angular ignores the html/scrip tags.
ex.
<input id="name" ng-model="name"></input>
if I input as
'Hello, <b>World</b>!'
$scope.name contains the same what I entered ,didn't exclude the tags. i.e
var val = $scope.name;
console.log(val);
prints as same
'Hello, <b>World</b>!'
Please let me know how to solve this in angularjs.
thank
Look at here : http://docs.angularjs.org/api/ngSanitize/service/$sanitize
If you want escape use ng-bind
, it ll render the tag without interpretation like that :
Hello <b>World</b>
not like Hello World !
Do you understand ? so ng-bind is safe because it doesn't care about HTML tags.
If you want that your HTML tags be interpreted but safely just use ng-bind-html !
For example if you want to display this string :
'Hello <b>World</b><input type="text" />'
The result will be : Hello World but without the input because AngularJS compiler uses $sanitize service and check a whitelist of HTML elements and an iput is not authorized.
Maybe ng-bind-html is what you're looking for.
If you just want be sure that the user can't put html tags in your input just use the directive ng-pattern on your inputs !
http://docs.angularjs.org/api/ng/directive/input
It takes a regex for allowed characters in your input !
Hope it helps !
这篇关于angularjs + 跨站脚本防止的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!