Escape HTML text in an AngularJS directive
Is there an angular JS command that will do HTML escaping on text? I am processing a custom directive and have need to escape some of the output which it generates.
-
Use [innerHtml] shorthand tag in a HTML template file you are using in your Angular app.
My example shown below to escape HTML generated by wordpress on post_content that is retrieved from my WP API and therefore the html tags will not display in the browser:
<div [innerHtml]="post.post_content" *ngIf="post && post.post_content"></div>Hope this helps.
讨论(0) -
It's not the straight solution, but if you'd dive into angular-sanitize code, you could find function
encodeEntities. It's nice but private. Looking for usages of it you'd go tohtmlSanitizeWriter, and then tosanitizeText. It's still private but used in public filterlinky.Either you can explicitly use
linkyand hope that no links will be found, or reimplementsanitizeTextorencodeEntitiesint your services.讨论(0) -
You can use encodeEntities() function in ngSanitize to escape & < > etc.
讨论(0) -
This answer is derived from @mb21's. The only thing that is changed is utilizing
$sce. So you can use this filter inng-bind-html, without triggeringError: $sce:unsafe.angular .module('yourModule', [ 'ngSanitize' ]) .filter('escapeHtml', function ($sce) { // Modified by Rockallite: Add $sce.trustAsHtml() to mute "Error: $sce:unsafe" // http://stackoverflow.com/a/32835368/2293304 // http://stackoverflow.com/a/28537958/2293304 // https://github.com/janl/mustache.js/blob/master/mustache.js#L82 var entityMap = { "&": "&", "<": "<", ">": ">", '"': '"', "'": ''', "/": '/' }; return function(str) { return $sce.trustAsHtml(String(str).replace(/[&<>"'\/]/g, function (s) { return entityMap[s]; })); } });讨论(0) -
There are two separate issues with escaping HTML. The first issue is that entities need to be encoded, and the second issue is that the result needs to be trusted so the data can be used as html bindings. Adding the following code to your controller(s) provides a solution for both issues using the $sce service.
CoffeeScript Solution:
MyApp.controller('MyController', ['$scope','$sce',($scope,$sce) -> ### ... ### $scope.html5Entities = (value) -> value.replace(/[\u00A0-\u9999<>\&\'\"]/gim, (i) -> '&#' + i.charCodeAt(0) + ';' ) $scope.trustAsHtml = (value) -> $sce.trustAsHtml(value) ### ... ### ])Javascript Solution:
MyApp.controller('MyController', ['$scope','$sce', function($scope,$sce) { /* ... */ $scope.html5Entities = function(value) { return value.replace(/[\u00A0-\u9999<>\&\'\"]/gim, function(i) { return '&#' + i.charCodeAt(0) + ';' }) }; $scope.trustAsHtml = function(value) { return $sce.trustAsHtml(value); }; /* ... */ }]);The first function html5Entities does the actual entity encoding, while the second function trustAsHtml marks a string as safe to use in Angular for HTML bindings. Both versions require that the $sce service be included in your controller.
Example usage:
<div ng-bind-html="trustAsHtml((html5Entities(product.title) | highlight: $select.search))"></div>See related issues:
Encode html entities in javascript
AngularJS : Insert HTML into view
讨论(0) -
There are two ways to do HTML sanitization in AngularJS. The first is by using the ngBindHtml directive and the second by using the $sanitize service.
function MyCtrl ( $scope, $sanitize ) { $scope.rawHtml = "<div><script></script></div>"; $scope.sanitizedHmtl = $sanitize( $scope.rawHtml ); }Then these two are functionally equivalent:
<div ng-bind-html="rawHtml"></div> <div ng-bind-html-unsafe="sanitizedHtml"></div>If used in a directive, as in your question, you can simply insert the sanitized HTML:
element.html( scope.sanitizedHtml );But in most cases when writing directives, you'd have this in a template and use ngBindHtml, as above. But it works for the corner cases.
讨论(0)
加载中...
- 热议问题