From 40f5f4c1830d3e0257bcc9bb4534cf05f4201755 Mon Sep 17 00:00:00 2001 From: julianjelfs Date: Thu, 3 Apr 2014 17:07:03 +0100 Subject: [PATCH 1/2] make sure that bo-html sanitizes html --- bindonce.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bindonce.js b/bindonce.js index 3a6f43d..5be739f 100644 --- a/bindonce.js +++ b/bindonce.js @@ -35,7 +35,7 @@ var bindonceDirective = { restrict: "AM", - controller: ['$scope', '$element', '$attrs', '$interpolate', function ($scope, $element, $attrs, $interpolate) + controller: ['$scope', '$element', '$attrs', '$interpolate', '$sce', function ($scope, $element, $attrs, $interpolate, $sce) { var showHideBinder = function (elm, attr, value) { @@ -180,7 +180,7 @@ binder.element.text(value); break; case 'html': - binder.element.html(value); + binder.element.html($sce.getTrustedHtml(value)); break; case 'style': binder.element.css(value); From 5d615013159ed236e97e6d05843ff30a7f1136d9 Mon Sep 17 00:00:00 2001 From: julianjelfs Date: Fri, 4 Apr 2014 12:22:48 +0100 Subject: [PATCH 2/2] refactor bo-html to be safe if and only if ngSanitize is included --- bindonce.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bindonce.js b/bindonce.js index 5be739f..c1970f8 100644 --- a/bindonce.js +++ b/bindonce.js @@ -35,8 +35,9 @@ var bindonceDirective = { restrict: "AM", - controller: ['$scope', '$element', '$attrs', '$interpolate', '$sce', function ($scope, $element, $attrs, $interpolate, $sce) + controller: ['$scope', '$element', '$attrs', '$interpolate', '$injector', '$sce', function ($scope, $element, $attrs, $interpolate, $injector, $sce) { + var sanitize = $injector.has('$sanitize'); var showHideBinder = function (elm, attr, value) { var show = (attr === 'show') ? '' : 'none'; @@ -180,7 +181,7 @@ binder.element.text(value); break; case 'html': - binder.element.html($sce.getTrustedHtml(value)); + binder.element.html(sanitize ? $sce.getTrustedHtml(value) : value); break; case 'style': binder.element.css(value);