angularjs - ng-non-bindable only for the content of the element -

-

in our angular application, have link filled user content on server side. need tell angular not interpret link content. otherwise, if user, or attacker puts angular binding expressions in there (say {{user.password}}) angular evaluate it, opening security hole - kind of xss attack.

ng-non-bindable that. however, want link manipulated angular.

<a href="" class="side-bar-element" ng-class="{ 'side-bar-element-selected': issiteselected(@site.value.id) }">@site.value.name</a>

@site.value.name server side code insert content.

if put ng-non-bindable on element, ng-class won't work. solution can see insert span/div inside , apply ng-non-bindable that:

<a href="" class="side-bar-element" ng-class="{ 'side-bar-element-selected': issiteselected(@site.value.id) }"><span ng-non-bindable>@site.value.name</span></a>

this seems clunky, having modify html structure stop angular interfering server-side data.

is there cleaner solution?

ideally ng-non-bindable (or variant) mean "don't bind content, treat element normal otherwise".

if user, or attacker puts angular binding expressions user content (say {{user.password}}) angular evaluate it, opening security hole - kind of xss attack.

use $delegate service lower ng-non-bindable directive priority:

<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.2.23/angular.min.js"></script>  <body ng-app="nonbindableexample">      <script>      function delegator($delegate)       {       /* override directive definition object (ddo) */        $delegate[0].priority = 0;              return $delegate;       }          function provider($provide)       {       /* decorate ng-non-bindable proxy function */       $provide.decorator('ngnonbindabledirective', ["$delegate", delegator]);       }        /* inject provider , delegator methods services */      provider['$inject'] = ['$provide'];      delegator['$inject'] = ['$delegate'];        /* inject module new provider */      angular.module('nonbindableexample', []);      angular.module("nonbindableexample").config(["$provide",provider]);    </script>      <div>{{$id}}</div><div ng-non-bindable class="{{$id}}">{{$id}}</div></div>  </body>

when there multiple directives defined on single dom element, necessary specify order in directives applied. priority used sort directives before compile functions called. priority defined number. directives greater numerical priority compiled first. pre-link functions run in priority order, post-link functions run in reverse order. order of directives same priority undefined. default priority 0.

or separate user content via <script type="text/ng-template">: 

<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.2.23/angular.min.js"></script>    <!--declare module-->    <script>    angular.module('foo', []);    </script>    <!--auto bootstrapping-->  <div ng-app="foo">      <!--inline template-->    <script type="text/ng-template" id="baz">      <span ng-non-bindable>hi {{bar}}</span>    </script>      <!--data binding-->    <a href="" ng-init="bar=1" ng-class="{{bar}}" ng-include="'baz'"></a>  </div>

use ng-include directive a element , use span element ng-non-bindable directive decouple text element.

references


Comments

Post a Comment

Popular posts from this blog

Delphi XE2 Indy10 udp client-server interchange using SendBuffer-ReceiveBuffer -

-
i use delphi xe2 , indy10 udp protocol. can't receive server echo on client side if use receivebuffer method. got "socket error # 10040" although send small echo message server client. console application illustrate problem below. in advance. program project1; {$apptype console} {$r *.res} uses system.sysutils, idglobal, idbasecomponent, idcomponent, idsockethandle, idudpclient, idudpserver, idudpbase, idstack; type tudp_serv = class(tidudpserver) procedure udpsvudpread(athread: tidudplistenerthread; adata: tidbytes; abinding: tidsockethandle); end; var udpserver: tudp_serv; udpcl: tidudpclient; bsnd, brcv: tbytes; s: string; k: integer; //============================================================================== procedure tudp_serv.udpsvudpread(athread: tidudplistenerthread; adata: tidbytes; abinding: tidsockethandle); begin writeln(' server read: ' + tohex(adata, length(adata))); abinding sendto(peerip, peerport, adat...
Read more

Qt ActiveX WMI QAxBase::dynamicCallHelper: ItemIndex(int): No such property in -

-
i new windows programming. here goes code objiwbemlocator = new qaxobject("wbemscripting.swbemlocator"); objwmiservice = objiwbemlocator->querysubobject("connectserver(qstring&,qstring&)",qstring("."),qstring("root\\cimv2")); qaxobject* returnlist = objwmiservice->querysubobject("execquery(qstring&)", qstring("select * %1").arg(domain)); qaxobject* result = returnlist->querysubobject("itemindex(int)", 0); i getting error on runtime qt activex wmi qaxbase::dynamiccallhelper: itemindex(int): no such property in but itemindex method exists msdn says the itemindex method not work collections not contain swbemobjects, such swbemmethodset, swbemnamedvalueset, swbemprivilegeset, swbempropertyset, , swbemqualifierset. what selecting ? have tried iterating on collection ? plus need minimum windows vista itemindex method. hope helps
Read more

Enable autocomplete or intellisense in Atom editor for PHP -

-
i'm first time user of atom editor php code. atom can autocomplete built-in functions of php. possible make editor autocomplete custom function written in separate file? function.php <?php function printsomething() { echo "hello world"; } index.php <?php require_once "function.php"; printsomething(); // autocompleted atom editor while typing thanks in advance. there text file in %userprofile%.atom called snippets.cson. in there can add snippet. more this: http://flight-manual.atom.io/using-atom/sections/snippets/ but need think can use later on other files well. otherwise need copy , paste.
Read more