Home > Developer > JavaScript
To avoid security vulnerabilities in angularJs, some ng-src or ng-include perform security verification. Therefore, ng-src in an iframe is often unavailable.
What is SCE?
SCE, that is, strict contextual escaping. My understanding is that strict context isolation... translation may be inaccurate, but through literal understanding, angularjs strictly controls context access.
Angular enables SCE by default, which means that some insecure behaviors will be eliminated by default. For example, you have used a third-party script or library, loaded a piece of html, and so on.
This is indeed safe to avoid cross-site XSS, but sometimes we want to load specific files on our own. What should we do at this time?
At this time, you can use the $ sce service to convert some addresses into secure and authorized links... simply put, it is like telling the guard that this stranger is actually a good friend of mine. It is trustworthy and does not have to be intercepted!
Common methods include:
$ Sce. trustAs (type, name );
$ Sce. trustAsHtml (value );
$ Sce. trustAsUrl (value );
$ Sce. trustAsResourceUrl (value );
$ Sce. trustAsJs (value );
The following are all used based on the first api. For example, trsuasurl actually calls trsuas ($ sce. URL, "xxxx ");
The optional value of type is:
$ Sce. HTML
$ Sce. CSS
$ Sce. URL // href in the tag, src in the img tag
$ Sce. RESOURCE_URL // ng-include, src or ngSrc, such as iframe or Object
$ Sce. JS
Example from the official website: ng-bind-html
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
