ng-html-bind causing $sanitize:badparse with special character '<'
4,765 views
Skip to first unread message
Patrick
Jan 21, 2014, 7:45:49 AM1/21/14
to ang...@googlegroups.com
Hi,
I try to use ng-html-bind with this String ''<0,5Gew% <strong>Alk</strong>ohol".
Angularjs response:
- Error: [$sanitize:badparse] http://errors.angularjs.org/1.2.9/$sanitize/badparse?p0=%3C0%2C5Gew%25%20%3Cstrong%3EAlk%3C%2Fstrong%3Eohol) at Error (<anonymous>) at http://localhost:8080/nutrition/resources/js/angular.min.js:6:449 at F (http://localhost:8080/nutrition/resources/js/angular-sanitize.min.js:8:302) at http://localhost:8080/nutrition/resources/js/angular-sanitize.min.js:12:185 at getTrusted (http://localhost:8080/nutrition/resources/js/angular.min.js:109:240) at Object.e.(anonymous function) [as getTrustedHtml] (http://localhost:8080/nutrition/resources/js/angular.min.js:110:454) at Object.fn (http://localhost:8080/nutrition/resources/js/angular.min.js:178:71) at h.$digest (http://localhost:8080/nutrition/resources/js/angular.min.js:100:299) at h.$apply (http://localhost:8080/nutrition/resources/js/angular.min.js:103:100) at f (http://localhost:8080/nutrition/resources/js/angular.min.js:67:98) angular.min.js:84
- (anonymous function)angular.min.js:84
- (anonymous function)angular.min.js:62
- h.$digestangular.min.js:101
- h.$applyangular.min.js:103
- v.onreadystatechange
Looks like it is caused by the encoded '<' character.
Is this a bug or is validation not accepting some kind of special characters?
Greetings,
Patrick
Sander Elias
Jan 21, 2014, 7:57:10 AM1/21/14
to ang...@googlegroups.com
Hi Patrick,
Well, your sting is not HTML-'safe', and can not be parsed. If you need to include < and > in a string you want parsed, you have to escape those. There are a few other things that needs escaping too, but those are the most important ones.
you need to replave the < with < and the > with >
For a more complete list go here
Regards
Sander
Patrick Bertolla
Jan 21, 2014, 9:14:19 AM1/21/14
to ang...@googlegroups.com
Now that you say it, it sounds obvious. I was a little bit confused, since I used the directive ng-html-bind-unsafe (Angularjs 1.0.4) and there it worked.
I thought "ng-html-bind" workes the same way but the name already tells me that it does not xD.
Thank you for the fast reply.
--
You received this message because you are subscribed to a topic in the Google Groups "AngularJS" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/angular/kPojF-Srv_I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to angular+u...@googlegroups.com.
To post to this group, send email to ang...@googlegroups.com.
Visit this group at http://groups.google.com/group/angular.
For more options, visit https://groups.google.com/groups/opt_out.
Sander Elias
Jan 21, 2014, 9:37:18 AM1/21/14
to ang...@googlegroups.com
Patrick,
You're welcome. The reason the old version did work, was due to the fact, that the innerHTML got set without any kind processing. Most browsers can handle very malformed html. The new $SCE system does need to parse the string, to make sure there is nothing in there that can compromise security. That's the reason it is much stricter checked.
Regards
Sander
Chaitanya
Dec 15, 2016, 4:49:28 PM12/15/16
to Angular
Hello Sander,
Greetings!
Resurfacing a old thread - We are seeing this issue in our implementation now -
And i don't think we can replace < and > that's in the content (as along with the content, the bold <b> italic<i> tags all have this < and > and when we replace those bold/italics will not happen instead <b> is printed on the screen)
In our case content is like this and the below < is creating
Resurfacing a old thread - We are seeing this issue in our implementation now -
And i don't think we can replace < and > that's in the content (as along with the content, the bold <b> italic<i> tags all have this < and > and when we replace those bold/italics will not happen instead <b> is printed on the screen)
In our case content is like this and the below < is creating
$sanitize:badparse exception and empty string/content is being rendered on the screen content : "<b>Test50 Welcome50</b><br><b>Steps Taken To Resolve</b><br><span><p> Auto approval for amount < 100 dollars </p></span><br><b>Additional Comments</b><br><span><p>sample</p></span>"
Can you please review and suggest a solution.
Can you please review and suggest a solution.
Thanks,
Chaitanya.
Chaitanya.
Sander Elias
Dec 16, 2016, 1:33:07 AM12/16/16
to Angular
Hi Chaitanya,
$sce only detects invalid HTML, you need to provide a valid HTML document. If you want to sanitise your HTML, you need to do this before your feed it to $sce.
You can use a library like XSS to do that. (there are a lot more of those, this one came up first in a google search!)
Regards
Sander
Reply all
Reply to author
Forward
0 new messages