8

I got this error because one of the users added in his post <3

Error: [$sanitize:badparse] The sanitizer was unable to parse the following block of html: <3

I wrote code that ng-bind-html ="Detail.details"

I want him to be taken only <a> tag and tag <br />

Is that possible?

Thank you!

Improve this question
1
  • 1
    I <3 such bug reports. Commented Nov 13, 2014 at 20:09

3 Answers 3

Reset to default
10

You can create filter which will sanitize your html.

I used in it strip_tags function http://phpjs.org/functions/strip_tags/

angular.module('filters', []).factory('truncate', function () {
    return function strip_tags(input, allowed) {
      allowed = (((allowed || '') + '')
        .toLowerCase()
        .match(/<[a-z][a-z0-9]*>/g) || [])
        .join(''); // making sure the allowed arg is a string containing only tags in lowercase (<a><b><c>)
      var tags = /<\/?([a-z][a-z0-9]*)\b[^>]*>/gi,
        commentsAndPhpTags = /<!--[\s\S]*?-->|<\?(?:php)?[\s\S]*?\?>/gi;
      return input.replace(commentsAndPhpTags, '')
        .replace(tags, function($0, $1) {
          return allowed.indexOf('<' + $1.toLowerCase() + '>') > -1 ? $0 : '';
        });
    }
});

controller:

angular.module('myApp', ['filters'])
.controller('IndexController', ['$scope', 'truncate', '$sce', function($scope, truncate, $sce){
  $scope.text="";

  $scope.$watch('text', function(){
    $scope.sanitized = $sce.trustAsHtml(truncate($scope.text, '<a><br>'));
  });
}]);

view:

<div ng-bind-html="sanitized"></div>

http://plnkr.co/edit/qOuvpSMvooC6jR0HxCNT?p=preview

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

is ti possible to not replace wrong tags but display them? Example, in your plunker, insteand of not having <b> tags, just display <b>Bold sanitized</b>?
7

I had the same problem and fixed it by using $sce.trustAsHtml, see this

$scope.body = $sce.trustAsHtml(htmlBody);

// In html
<div ng-bind-html="body">body</div>

It fix the issue

Improve this answer

2 Comments

I think this is a bad idea. You are then bypassing the ngSanitize security checks. So you may open you application to HTML injection attacks.
Look I am not using ng-bind-html-unsafe which is depricated, you cannot use ng-bind-html without ngSanitize. So there is no security issue.
3

To preserve existing ng-bind-html behaviour without crashing you can catch the $sanitize:badparse exception.

The ngBindHtml component internally uses the ngSanitize service. Inject $sanitize into your controller and catch it.

The advantage of this versus the $sce.trustAsHtml methods is that $sanitize does not introduce any potential security holes (eg. javascript injection).

Controller (inject $sanitize):

$scope.clean = function (string) {
    $scope.clean = function(string) {
        try {
            return $sanitize(string);
        } catch(e) {
            return;
        }
    };
};

This method could be improved with a cache of the last known good value.

View:

<div ng-bind-html="clean(body)"></div>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.