|
|
@@ -21,7 +21,7 @@ which drives many of these changes. |
|
|
|
|
|
You can no longer invoke .bind, .call or .apply on a function in angular expressions. |
|
|
This is to disallow changing the behaviour of existing functions |
|
|
in an unforseen fashion. |
|
|
in an unforeseen fashion. |
|
|
|
|
|
- due to [6081f207](https://github.com/angular/angular.js/commit/6081f20769e64a800ee8075c168412b21f026d99), |
|
|
|
|
|
@@ -877,7 +877,7 @@ of `$sce.trustAsHtml(string)`. When bound to a plain string, the string is sanit |
|
|
module is not loaded) and the bound expression evaluates to a value that is not trusted an |
|
|
exception is thrown. |
|
|
|
|
|
When using this directive you can either include `ngSanitize` in your module's dependencis (See the |
|
|
When using this directive you can either include `ngSanitize` in your module's dependencies (See the |
|
|
example at the {@link ngBindHtml} reference) or use the {@link $sce} service to set the value as |
|
|
trusted. |
|
|
|
|
|
@@ -1134,10 +1134,10 @@ freely available to JavaScript code (as before). |
|
|
|
|
|
Angular expressions execute in a limited context. They do not have |
|
|
direct access to the global scope, `window`, `document` or the Function |
|
|
constructor. However, they have direct access to names/properties on |
|
|
the scope chain. It has been a long standing best practice to keep |
|
|
constructor. However, they have direct access to names/properties on |
|
|
the scope chain. It has been a long standing best practice to keep |
|
|
sensitive APIs outside of the scope chain (in a closure or your |
|
|
controller.) That's easier said that done for two reasons: |
|
|
controller.) That's easier said than done for two reasons: |
|
|
|
|
|
1. JavaScript does not have a notion of private properties so if you need |
|
|
someone on the scope chain for JavaScript use, you also expose it to |
|
|
|
