-
Notifications
You must be signed in to change notification settings - Fork 6.7k
ng-bind-html-unsafe removed in 1.2 rc1 #813
Comments
Yes, we are aware of this... This is a breaking change in AngularJS 1.2 and affects tooltips, popovers and typeahead. Unfortunately the new AngularJS-way of sanitizing HTML is not backward compatible either so switching to the new There are 2 options of moving forward here:
I guess we are just going to do a big jump and move to all the AngularJS 1.2 futures at one time ($animations etc.) |
I have a work around that you can use until ui-bootstrap is upgraded to support 1.2 ($sce), this involves disabling $sce for your app. As per the documentation this is not advised for new apps but can be used for existing apps until issues like this are resolved. See section "How can I disable SCE completely" at http://docs.angularjs.org/api/ng.$sce then in your app, supply a new template for tooltip-html-unsafe changing ng-bind-html-unsafe to ng-bind-html or if like me you are using bower to manage your build, in your app add the template to the cache on load of your app with $templateCache.put("template/tooltip/tooltip-html-unsafe-popup.html",
"<div class=\"tooltip {{placement}}\" ng-class=\"{ in: isOpen(), fade: animation() }\">\n" +
" <div class=\"tooltip-arrow\"></div>\n" +
" <div class=\"tooltip-inner\" ng-bind-html=\"content\"></div>\n" +
"</div>\n" +
""); |
Obviously there are implications for this workaround for ng-bind-html as any html will no longer be "sanitised" (now with $sce). Take care using this only where you understand the implications of XSS. |
OMG! If You want enterprise customers to use Your technology That's exactly how to chase away enterprise users |
@maximilianeberl Woah buddy, slow down! First of all no one here removed anything. This isn't the AngularJS project, this project is built on top of AngularJS. That said,
I hardly consider the addition of a couple of lines of code is hardly worth blowing up over. Especially given the degree of control $sce allows. |
Instead of disabling the whole thing, you could simply add the In my case it worked just fine, as I needed a custom result entry template anyway. angular.module('my.app', ['ngSanitize']);
// ... <input type="text" typeahead="match as match.name for match in search($viewValue)" typeahead:template:url="/templates/result.entry.html"> <!-- /templates/result.entry.html -->
<a tabindex="-1" ng-bind-html="match.label | typeaheadHighlight:query"></a> |
The safest and best way to move forward, is as @gtramontina says. We should change angular-ui bootstrap to have a dependency on ngSanitize (if you want to use things that bind HTML, such as typeahead). Then we change |
@petebacondarwin yep, this sounds like a reasonable approach. But I've got an impression that we had this discussion already and decided not to include ngSanitize for now, if I recall correctly. What I was planning to do is to create an equivalent of |
So kind of "solved" it by adding our own version of the bind-unsafe directive. We are going to remove it while switching to 1.2 and advising people to use ngSanitize. For now I just want to unblock the situation as 1.2 is still in RC so I'm not sure if we won't see more changes... |
@pkozlowski-opensource mind if I send a pull request to use bind-html-unsafe in tooltip as well? |
Went ahead and sent #975. :) |
so tired. i finding the whole internet, there is even no simple way to JUST output a short html snippet. Now i have to import a hug file just only for show a <br >,ridiculous. |
For anyone who'd still like to use this directive: Example:
Directive:
|
Matthew.Lothian has probably made the best suggestion on how to update to using $sce instead of ng-bind-html-unsafe. See http://stackoverflow.com/questions/16722424/how-do-i-create-an-angularjs-ui-bootstrap-popover-with-html-content for details. |
Can anyone comment as to why this plunkr doesn't work? Thank you. |
What's not working for you? It seems to be working for me. I see a button that says "Left", which is your unsafe content, rendered in the plnkr |
@boroth The button shows, but clicking it doesn't trigger the popover for me. Does it trigger for you? |
Ah, I didn't even see there was supposed to be a popover, but no it doesn't work. You might consider trying a different directive rather than |
AFAIK, I can't use Edit: |
Check out ($templateCache)[https://docs.angularjs.org/api/ng/service/$templateCache]. You can probably inject your templates into the |
Now that 1.2 rc1 is out, first issue I ran into is with tooltip-html-unsafe which I assume is using ng-bind-html-unsafe directive which is now removed. see angular/angular.js@dae6947
Is this already addressed in development branch?
The text was updated successfully, but these errors were encountered: