Discussion about allowing HTML #3
Comments
|
So {{something}} is not working inside message because of $sce correct? |
|
Allowing HTML is problematic, there is no perfect solution. There are various options and I decided for one. Allowing basic html on it, but that doesn't support angular directives and to do that, I need to make the toasts really insecure. I think that since it is just to popup information, it doesn't need complex stuff on it. So for now, I want to wait to see how people use it and then act. |
|
I understand you decision. Our use-case is to display a countdown in a popup message or something to show the user that he is getting logged out by inactivity. So we decided to use a non blocking toast message for that. But without angular binding there is only the option to show multiple toasts every x seconds/minutes etc. to give the desired behavior. |
|
i got $sce warning with
my intention enabling html just using and it's throw $sce error on fail callback when interact with |
I want to discuss here of what should we do about trusting html.
I saw various ways, and I am not sure of any of them:
As today, you can add html onto it,
$scewill trust your html but I am unsure how it works vsXSS. UsingngSanitizeis also an option, but it doesn't allow to use form items on the toast.The problem with
$sceis that you can't put directives into the trusted HTML (that is intended). That doesn't mean I can create a directive where you can put any kind of html on your toast (even forms that will work with your scope), but that is highly insecure.I want to discuss what are your thoughts about this.
The text was updated successfully, but these errors were encountered: