mirror of
https://github.com/Hopiu/angular.js.git
synced 2026-03-23 18:00:26 +00:00
39841f2ec9
BREAKING CHANGE: Interpolations inside DOM event handlers are
disallowed. DOM event handlers execute arbitrary Javascript code.
Using an interpolation for such handlers means that the interpolated
value is a JS string that is evaluated. Storing or generating such
strings is error prone and likely leads to an XSS if you're not
super careful. On the other hand, ng-click and such event handlers
evaluate Angular expressions that are a lot safer (e.g. No direct
access to global objects - only scope), cleaner and harder to
exploit.
To migrate the code follow the example below:
Before:
JS: scope.foo = 'alert(1)';
HTML: <div onclick="{{foo}}">
After:
JS: scope.foo = function() { alert(1); }
HTML: <div ng-click="foo()">
|
||
|---|---|---|
| .. | ||
| directive | ||
| filter | ||
| anchorScrollSpec.js | ||
| animationSpec.js | ||
| animatorSpec.js | ||
| browserSpecs.js | ||
| cacheFactorySpec.js | ||
| compileSpec.js | ||
| controllerSpec.js | ||
| documentSpec.js | ||
| exceptionHandlerSpec.js | ||
| httpBackendSpec.js | ||
| httpSpec.js | ||
| interpolateSpec.js | ||
| localeSpec.js | ||
| locationSpec.js | ||
| logSpec.js | ||
| parseSpec.js | ||
| qSpec.js | ||
| rootElementSpec.js | ||
| rootScopeSpec.js | ||
| snifferSpec.js | ||
| timeoutSpec.js | ||
| windowSpec.js | ||