See http://stackoverflow.com/questions/37076867/in-rc-1-some-styles-cant-be-added-using-binding-syntax/37076868#37076868

http://plnkr.co/edit/WdrRVyHr6WUCwMCwhH9F?p=preview

I know about "marking as trust" but I guess it's not a case here.

Consider this example: http://plnkr.co/edit/U1N8xgJOUWyemz8oS0RW?p=preview
I'm passing a simple string test here and it's perfectly fine because nothing was really stripped.

In case of the unicode icon there should be no warning because I've passed encoded string (value passed to innerHtml input and finally rendered are exactly the same) so nothing was stripped in fact.

However if I do this: http://plnkr.co/edit/ZSto9Gl03ZzNGVF8E8C2?p=preview then warning is what I'd expect.

So to the point - I think the message is wrong in case you pass encoded value to sanitize.

I see, I leave that to the Angular team then.

@mprobst could you please take a look ?

I think this is inherent in how we sanitize. We're using the browser's HTML parser, which of course turns escapes such as 🚀 in the example into their Unicode code point equivalents (or UTF-16, really). After parsing and re-serializing, Angular sees a string that does not match byte by byte, i.e. the escape has been replaced with the actual character (🚀), and thus prints the warning.

Fixing this won't be possible without re-implementing half an HTML parser and expensively re-scanning the string. Given that the message is entirely harmless and only slightly misleading, and given that this is probably somewhat of a corner case, I think the effort is not worth it.

Does that make sense? Please feel free to re-open if this actually causes an issue.

@mprobst I don't think there is a problem with sanitization but with the error message condition. I've added PR because code shows much more than words. Let me know what do you think about it.

@wkwiatek I understand, but I'm surprised the PR fixes this. Let's discuss there.

I also get this warning when I bind text that contains German Umlaute (ü, ö, ä), because they get replaced with ü ö and ä. This makes the warning useless for me, because I get like 95% false warnings and don't bother to look at them any more.

@oocx sorry about that. As I wrote on the PR, Angular would need to re-implement half an HTML parser to avoid this warning, which seems overkill as it is harmless and only supposed to be a development help.

We could consider not escaping at least some unicode characters (e.g. umlauts), but then we'd cause the warning for people passing in ü or &0xDC; and so on. The joys of encoding :-/

@mprobst I understand why it's not easy to fix. Is there a way to disable this warning? It's spamming my console with warnings when I debug my application.

If there is no option to turn it off yet, I could try to implement it and submit a PR if you think it's a useful feature.

@oocx there's no feature to disable that. I'm skeptical about making it a feature, too – more options make software harder to use, and I'm not convinced it's enough of a problem to warrant fixing. Binding innerHtml & Co should be rare in any case...

@oocx FYI 482c019 should fix this for you.

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}