为什么AngularJS在使用ng-bind-html时删除数据属性? [英] Why does AngularJS strip out data- attributes when using ng-bind-html?
问题描述
我正在使用contentEditable div来使用户能够格式化文章。我对html内容做了一些处理,并坚持下去。
I am using a contentEditable div to enable users to format their articles. I do some processing on the html content and persist it.
我正在使用 ng-bind-html
来呈现观众想要阅读文章的结果。我不想使用 $ sce.trustAsHtml
,因为我仍然希望AngularJS清理用户输入,因为我不信任所有的输入。所有我想要的是AngularJS消毒,以允许元素上的一些属性。它似乎剥夺ID和数据属性。 (但保持类和标题)。
I am using ng-bind-html
to render the result when viewers want to read the article. I don't want to use $sce.trustAsHtml
because I still want AngularJS to sanitize the user input and because I don't trust all the input. All I want is for AngularJS sanitization to allow some attributes on elements. It seems to strip ID, and data- attributes. (but keeps class and title) .
数据属性被认为是有害的?攻击者可能如何使用它们来攻击最终用户?有没有办法安全使用它们,让Angular不能将它们剥离出来?
Is data- attributes considered harmful? How can an attacker may use them to attack the end user? And is there a way to use them safely and let Angular not strip them out?
这里有一个例子:
article.body = '<p data-guid="afasfa-afasfafas-faf-asasf" class="guid-tagged">Yes this is my article</p>';
<article ng-bind-html='article.body'></article>
这里是文章标签中的Angular输出(注意删除的数据属性):
Here's what Angular outputs inside the article tag (notice the stripped out data- attribute):
<p class="guid-tagged">Yes this is my article</p>
谢谢
推荐答案
如注释所述, ng-bind-html
通过消毒剂传递数据。这种消毒剂从其中传入的所有输入中删除了许多属性。此问题可能有助于解释更多信息: ng关于列出属性的问题的问题。此部分源代码包括所有属性都被认为是有效的,因此不受ngSanitize的影响。
As mentioned in the comment, ng-bind-html
passes the data through a sanitizer. This sanitizer removes a number of attributes from all input passed in it. This issue may help explain more: ngSanitize issue concerning whitelisting attributes. This part of the source code includes all the attributes considered valid and therefore left untouched by ngSanitize.
这篇关于为什么AngularJS在使用ng-bind-html时删除数据属性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!