This repository has been archived by the owner on Apr 12, 2024. It is now read-only.
fix(ng-bind-html): watch string value instead of wrapper #4087
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ref: angular#4045 I have this sinking feeling that support this use case sort of encourages binding to function that blindly trust some html. For now, I'm fixing the issue while I think about the use cases some more. In the case of a function that performs any non-trivial work before wrapping the value (e.g. the showdown filter in issue angular#3980, or the binding to a simply wrapper function in issue angular#3932 if it did anything meaty), this fix makes it "work" - but performance is going to suck - you should bind to some other thing on scope that watches the actual source and adjusts itself when that changes (e.g. the showdown filter.) For the case of the wrapper in angular#3932, if one isn't performing sanitization or some such thing - then you the developer has insight into why that value is safe in that particular context - and it should be available simply by name and not as a result of a function taking any arbitrary input to make auditing of security a little saner. Closes angular#3932, angular#3980
|
lovely! I think I like you better than @btford now! ;) |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ref: #4045
I have this sinking feeling that support this use case sort of
encourages binding to function that blindly trust some html. For now,
I'm fixing the issue while I think about the use cases some more.
In the case of a function that performs any non-trivial work before
wrapping the value (e.g. the showdown filter in issue #3980, or the
binding to a simply wrapper function in issue #3932 if it did anything
meaty), this fix makes it "work" - but performance is going to suck -
you should bind to some other thing on scope that watches the actual
source and adjusts itself when that changes (e.g. the showdown filter.)
For the case of the wrapper in #3932, if one isn't performing
sanitization or some such thing - then you the developer has insight
into why that value is safe in that particular context - and it should
be available simply by name and not as a result of a function taking any
arbitrary input to make auditing of security a little saner.
Closes #3932, #3980