feat(tooltip/popover): fix usage with $sce #3563
Conversation
chrisirhc
changed the title
|
@chrisirhc Tests fail... |
Allows for trusted resource URLs through Strict Contextual Escaping ($sce). If the an interpolated expression is used instead, then the benefits of SCE is lost. Fixes angular-ui#3558
Allows for trusted resource URLs through Strict Contextual Escaping ($sce). If the an interpolated expression is used instead, then the benefits of SCE is lost. Fixes angular-ui#3558
chrisirhc
force-pushed
the
feature/fix-popover-template
branch
from
445ceb0 to
8c37865
Compare
|
Thanks for checking @karianna , I marked it as "WIP" because of the failing tests. Just updated it. |
chrisirhc
changed the title
There was a problem hiding this comment.
Can you explain this change? This seems a little awkward for use.
There was a problem hiding this comment.
This is because if a user needs to use a trusted resource url, the user can now do the following.
In controller:
$scope.templateUrl = $sce.trustAsResourceUrl('http://someurl.com/template.htm');
In template tooltip-template="templateUrl".
Before, the if the user did tooltip-template="{{templateUrl}}, the URL gets converted into a plain string after interpolation and hence, loses its trusted context. Then there's no way for the user to specify a trusted URL. $sce trust isn't needed for URLs on the current security origin but will fail when the user specifies URLs from another security origin (different domain/protocol/port).
|
This PR LGTM, just had a question about a change. |
|
Both those Plunkers aren't using the popover directive. Did you press "Save" to make sure that the Plunker updated? |
|
Please open another issue if this isn't related to this particular PR. We can talk about it there. |
4 participants
Closes #3558