-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discussion about allowing HTML #3
Comments
So {{something}} is not working inside message because of $sce correct? |
Allowing HTML is problematic, there is no perfect solution. There are various options and I decided for one. Allowing basic html on it, but that doesn't support angular directives and to do that, I need to make the toasts really insecure. I think that since it is just to popup information, it doesn't need complex stuff on it. So for now, I want to wait to see how people use it and then act. |
I understand you decision. Our use-case is to display a countdown in a popup message or something to show the user that he is getting logged out by inactivity. So we decided to use a non blocking toast message for that. But without angular binding there is only the option to show multiple toasts every x seconds/minutes etc. to give the desired behavior. |
i got $sce warning with
my intention enabling html just using and it's throw $sce error on fail callback when interact with |
I want to discuss here of what should we do about trusting html.
I saw various ways, and I am not sure of any of them:
As today, you can add html onto it,
$sce
will trust your html but I am unsure how it works vsXSS
. UsingngSanitize
is also an option, but it doesn't allow to use form items on the toast.The problem with
$sce
is that you can't put directives into the trusted HTML (that is intended). That doesn't mean I can create a directive where you can put any kind of html on your toast (even forms that will work with your scope), but that is highly insecure.I want to discuss what are your thoughts about this.
The text was updated successfully, but these errors were encountered: