AngularJS uses $ sce to control code security check _ AngularJS

Source: Internet
Author: User
SCE, that is, strictcontextualescaping. My understanding is strict context isolation... translation may not be accurate, but it should be understood literally by angularjs to strictly control context access. This article describes AngularJS's use of $ sce to control code security checks, if you are interested in angularjssce, you can learn it together. Because browsers all have same-source loading policies, you cannot load files in different domains or access files using undesired protocols such as files.

To avoid security vulnerabilities in angularJs, some ng-src or ng-include perform security verification. Therefore, ng-src in an iframe is often unavailable.

What is SCE?

SCE, that is, strict contextual escaping. My understanding is that strict context isolation... translation may be inaccurate, but through literal understanding, angularjs strictly controls context access.

Angular enables SCE by default, which means that some insecure behaviors will be eliminated by default. For example, you have used a third-party script or library, loaded a piece of html, and so on.

This is indeed safe to avoid cross-site XSS, but sometimes we want to load specific files on our own. What should we do at this time?

At this time, you can use the $ sce service to convert some addresses into secure and authorized links... simply put, it is like telling the guard that this stranger is actually a good friend of mine. It is trustworthy and does not have to be intercepted!

Common methods include:

$ Sce. trustAs (type, name );
$ Sce. trustAsHtml (value );
$ Sce. trustAsUrl (value );
$ Sce. trustAsResourceUrl (value );
$ Sce. trustAsJs (value );

The following are all used based on the first api. For example, trsuasurl actually calls trsuas ($ sce. URL, "xxxx ");

The optional value of type is:

$ Sce. HTML
$ Sce. CSS
$ Sce. URL // href in the tag, src in the img tag
$ Sce. RESOURCE_URL // ng-include, src or ngSrc, such as iframe or Object
$ Sce. JS

Example from the official website: ng-bind-html

    

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.