I've put a JSfiddle here so you can see code that is actually working...
/
Unfortunately this does not work on my local machine even though everything else does (I have other angular code running fine).
On my local machine I only see my html in the output if i use..
ng-bind-html-unsafe="message.content"
instead of...
ng-bind-html="message.content"
So, on JSfiddle it works when I leave the "unsafe" off, but on my local machine the unsafe has to be there, which seems undesirable from a security point of view.
I am loading the same version of Angular and sanitize, in the same order and my code I think is identical, only the environment seems to be different.
Any ideas?
I've put a JSfiddle here so you can see code that is actually working...
http://jsfiddle/vtKqG/1/
Unfortunately this does not work on my local machine even though everything else does (I have other angular code running fine).
On my local machine I only see my html in the output if i use..
ng-bind-html-unsafe="message.content"
instead of...
ng-bind-html="message.content"
So, on JSfiddle it works when I leave the "unsafe" off, but on my local machine the unsafe has to be there, which seems undesirable from a security point of view.
I am loading the same version of Angular and sanitize, in the same order and my code I think is identical, only the environment seems to be different.
Any ideas?
Share Improve this question asked Dec 26, 2012 at 21:48 jonhobbsjonhobbs 28k39 gold badges118 silver badges179 bronze badges 9- 1 Maybe you forget to load the ngSanitize module? var myApp = angular.module('myApp',['ngSanitize']); – asgoth Commented Dec 26, 2012 at 21:53
- One other thing. ngSanitize is in a different javascript file. Did you load it in your page? – asgoth Commented Dec 26, 2012 at 21:55
- Yep, it's loaded and working, otherwise the unsafe version wouldn't work. It only stops working (blank output) when I remove the -unsafe – jonhobbs Commented Dec 26, 2012 at 22:02
- Is this your output? jsfiddle/asgoth/35fJE – asgoth Commented Dec 26, 2012 at 22:07
- Yes, the div is rendered but empty as in your example. I see you changed ngSanitize to just ng when injecting into the module. Mine is correct however, I copied and pasted directly from the working fiddle. – jonhobbs Commented Dec 26, 2012 at 22:15
2 Answers
Reset to default 5You need to add your module to ng-app:
<html ng-app='myApp'>
...
If you don't specify this, angular will only load module 'ng', not ng-sanitize. ng-bind-unsafe is in module ng, not ng-sanitize, which is why this accidently worked.
Apparently in new version of AngularJS 1.2+ they change it, since then you have to use trustAsHtml() method to disable Html escaping.
Solution can be find here