AngularJS 中 ng-bind、ng-bind-html、ng-bind-html-unsafe 之间的区别?
Difference between ng-bind, ng-bind-html, ng-bind-html-unsafe in AngularJS?
我想知道 ng-bind、ng-bind-html 和 ng-bind-html-unsafe 之间的区别。
另外,当我 运行 下面的代码时,我收到如下所述的错误:
代码:
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>HTML Injection Security in AngularJS</title>
<script type="text/javascript" src="/js/angular.js"></script>
<script type="text/javascript">
angular.module("myApp", []).controller("myController",function($scope)
{
$scope.getValue = function()
{
return "<b>Hello World</b>";
};
});
</script>
</head>
<body>
<div ng-app="myApp" ng-controller="myController">
<span ng-bind-html="getValue();"></span>
<span>Normal Text</span>
</div>
</body>
</html>
错误:
Error: [$sce:unsafe] Attempting to use an unsafe value in a safe context.
http://errors.angularjs.org/1.3.11/$sce/unsafe
at REGEX_STRING_REGEXP (https://www.angularapprj.com:4443/js/angular.js:63:12)
at htmlSanitizer (https://www.angularapprj.com:4443/js/angular.js:15053:13)
at getTrusted (https://www.angularapprj.com:4443/js/angular.js:15217:16)
at Object.$get.sce.(anonymous function) [as getTrustedHtml] (https://www.angularapprj.com:4443/js/angular.js:15897:16)
at Object.ngBindHtmlWatchAction [as fn] (https://www.angularapprj.com:4443/js/angular.js:20449:29)
at Scope.$get.Scope.$digest (https://www.angularapprj.com:4443/js/angular.js:14230:29)
at Scope.$get.Scope.$apply (https://www.angularapprj.com:4443/js/angular.js:14493:24)
at bootstrapApply (https://www.angularapprj.com:4443/js/angular.js:1449:15)
at Object.invoke (https://www.angularapprj.com:4443/js/angular.js:4182:17)
at doBootstrap (https://www.angularapprj.com:4443/js/angular.js:1447:14)
这是什么意思?我知道在命令式代码中使用声明式代码不是好的做法,尽管我只是在 ng-bind-html 指令中尝试使用 <b>Hello World</b>。
搜索后,我从 https://docs.angularjs.org/guide/migration#ngbindhtmlunsafe-has-been-removed-and-replaced-by-ngbindhtml 获得以下信息:在 Angular 1.3 版中,他们已从 ng-bind-html-unsafe 迁移到 ng-bind-html,虽然还有一点问题,为什么我会收到 post 中提到的错误?
我想知道 ng-bind、ng-bind-html 和 ng-bind-html-unsafe 之间的区别。
另外,当我 运行 下面的代码时,我收到如下所述的错误:
代码:
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>HTML Injection Security in AngularJS</title>
<script type="text/javascript" src="/js/angular.js"></script>
<script type="text/javascript">
angular.module("myApp", []).controller("myController",function($scope)
{
$scope.getValue = function()
{
return "<b>Hello World</b>";
};
});
</script>
</head>
<body>
<div ng-app="myApp" ng-controller="myController">
<span ng-bind-html="getValue();"></span>
<span>Normal Text</span>
</div>
</body>
</html>
错误:
Error: [$sce:unsafe] Attempting to use an unsafe value in a safe context. http://errors.angularjs.org/1.3.11/$sce/unsafe at REGEX_STRING_REGEXP (https://www.angularapprj.com:4443/js/angular.js:63:12) at htmlSanitizer (https://www.angularapprj.com:4443/js/angular.js:15053:13) at getTrusted (https://www.angularapprj.com:4443/js/angular.js:15217:16) at Object.$get.sce.(anonymous function) [as getTrustedHtml] (https://www.angularapprj.com:4443/js/angular.js:15897:16) at Object.ngBindHtmlWatchAction [as fn] (https://www.angularapprj.com:4443/js/angular.js:20449:29) at Scope.$get.Scope.$digest (https://www.angularapprj.com:4443/js/angular.js:14230:29) at Scope.$get.Scope.$apply (https://www.angularapprj.com:4443/js/angular.js:14493:24) at bootstrapApply (https://www.angularapprj.com:4443/js/angular.js:1449:15) at Object.invoke (https://www.angularapprj.com:4443/js/angular.js:4182:17) at doBootstrap (https://www.angularapprj.com:4443/js/angular.js:1447:14)
这是什么意思?我知道在命令式代码中使用声明式代码不是好的做法,尽管我只是在 ng-bind-html 指令中尝试使用 <b>Hello World</b>。
搜索后,我从 https://docs.angularjs.org/guide/migration#ngbindhtmlunsafe-has-been-removed-and-replaced-by-ngbindhtml 获得以下信息:在 Angular 1.3 版中,他们已从 ng-bind-html-unsafe 迁移到 ng-bind-html,虽然还有一点问题,为什么我会收到 post 中提到的错误?