为什么AngularJS在使用ng-bind-html时删除数据属性？ [英] Why does AngularJS strip out data- attributes when using ng-bind-html?

问题描述

我正在使用contentEditable div来使用户能够格式化文章。我对html内容做了一些处理，并坚持下去。

I am using a contentEditable div to enable users to format their articles. I do some processing on the html content and persist it.

我正在使用 ng-bind-html 来呈现观众想要阅读文章的结果。我不想使用 $ sce.trustAsHtml ，因为我仍然希望AngularJS清理用户输入，因为我不信任所有的输入。所有我想要的是AngularJS消毒，以允许元素上的一些属性。它似乎剥夺ID和数据属性。 （但保持类和标题）。

I am using ng-bind-html to render the result when viewers want to read the article. I don't want to use $sce.trustAsHtml because I still want AngularJS to sanitize the user input and because I don't trust all the input. All I want is for AngularJS sanitization to allow some attributes on elements. It seems to strip ID, and data- attributes. (but keeps class and title) .

数据属性被认为是有害的？攻击者可能如何使用它们来攻击最终用户？有没有办法安全使用它们，让Angular不能将它们剥离出来？

Is data- attributes considered harmful? How can an attacker may use them to attack the end user? And is there a way to use them safely and let Angular not strip them out?

这里有一个例子：

article.body = '<p data-guid="afasfa-afasfafas-faf-asasf" class="guid-tagged">Yes this is my article</p>';
<article ng-bind-html='article.body'></article>

这里是文章标签中的Angular输出（注意删除的数据属性）：

Here's what Angular outputs inside the article tag (notice the stripped out data- attribute):

<p class="guid-tagged">Yes this is my article</p>

谢谢

推荐答案

如注释所述， ng-bind-html 通过消毒剂传递数据。这种消毒剂从其中传入的所有输入中删除了许多属性。此问题可能有助于解释更多信息： ng关于列出属性的问题的问题。此部分源代码包括所有属性都被认为是有效的，因此不受ngSanitize的影响。

As mentioned in the comment, ng-bind-html passes the data through a sanitizer. This sanitizer removes a number of attributes from all input passed in it. This issue may help explain more: ngSanitize issue concerning whitelisting attributes. This part of the source code includes all the attributes considered valid and therefore left untouched by ngSanitize.

这篇关于为什么AngularJS在使用ng-bind-html时删除数据属性？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！