38deedd6e3
BREAKING CHANGE: Concatenating expressions makes it hard to reason about
whether some combination of concatenated values are unsafe to use
and could easily lead to XSS. By requiring that a single expression
be used for *[src/ng-src] such as iframe[src], object[src], etc.
(but not img[src/ng-src] since that value is sanitized), we ensure that the value
that's used is assigned or constructed by some JS code somewhere
that is more testable or make it obvious that you bound the value to
some user controlled value. This helps reduce the load when
auditing for XSS issues.
To migrate your code, follow the example below:
Before:
JS:
scope.baseUrl = 'page';
scope.a = 1;
scope.b = 2;
HTML:
<!-- Are a and b properly escaped here? Is baseUrl
controlled by user? -->
<iframe src="{{baseUrl}}?a={{a}&b={{b}}">
After:
JS:
var baseUrl = "page";
scope.getIframeSrc = function() {
// There are obviously better ways to do this. The
// key point is that one will think about this and do
// it the right way.
var qs = ["a", "b"].map(function(value, name) {
return encodeURIComponent(name) + "=" +
encodeURIComponent(value);
}).join("&");
// baseUrl isn't on scope so it isn't bound to a user
// controlled value.
return baseUrl + "?" + qs;
}
HTML: <iframe src="{{getIframeSrc()}}">
|
||
|---|---|---|
| css | ||
| docs | ||
| example | ||
| i18n | ||
| images | ||
| lib | ||
| logs | ||
| src | ||
| test | ||
| .gitignore | ||
| .travis.yml | ||
| angularFiles.js | ||
| bower.json | ||
| changelog.js | ||
| CHANGELOG.md | ||
| changelog.spec.js | ||
| changelog.tmp.md | ||
| check-size.sh | ||
| CONTRIBUTING.md | ||
| gdocs.js | ||
| gen_docs.sh | ||
| Gruntfile.js | ||
| init-repo.sh | ||
| karma-docs.conf.js | ||
| karma-e2e.conf.js | ||
| karma-jqlite.conf.js | ||
| karma-jquery.conf.js | ||
| karma-modules.conf.js | ||
| LICENSE | ||
| package.json | ||
| README.md | ||
| release-commit.sh | ||
| start-iteration.sh | ||
| validate-commit-msg.js | ||
| validate-commit-msg.spec.js | ||
| watchr-docs.rb | ||
AngularJS
AngularJS lets you write client-side web applications as if you had a smarter browser. It lets you use good old HTML (or HAML, Jade and friends!) as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. It automatically synchronizes data from your UI (view) with your JavaScript objects (model) through 2-way data binding. To help you structure your application better and make it easy to test, AngularJS teaches the browser how to do dependency injection and inversion of control. Oh yeah and it also helps with server-side communication, taming async callbacks with promises and deferreds; and make client-side navigation and deeplinking with hashbang urls or HTML5 pushState a piece of cake. The best of all: it makes development fun!
- Web site: http://angularjs.org
- Tutorial: http://docs.angularjs.org/tutorial
- API Docs: http://docs.angularjs.org/api
- Developer Guide: http://docs.angularjs.org/guide
- Contribution guidelines: http://docs.angularjs.org/misc/contribute
Building AngularJS
Once you have your environment setup just run:
grunt package
Running Tests
To execute all unit tests, use:
grunt test:unit
To execute end-to-end (e2e) tests, use:
grunt package
grunt test:e2e
To learn more about the grunt tasks, run grunt --help and also read our
contribution guidelines.