Hello,
I'm working on a response system.
((1) works) So basically when someone inputs, let's say "Coleus bluei" on the input field, the data goes to a database, a checks what's the output for that, in that case is pure HTML containing the plant information, and it works perfectly...
((2) fails) Now, in other cases, lets say, when the input "facebook", the output in the database is is Javascript code, which is supposed to redirect the user directly to facebook, and in that case, angular includes the Javascript code without any problem, but it won't wont.
I'm binding the data like this:
<div ng-bind-html="eirana_knows.posicion_superior | unsafe">
and here's the application filter "unsafe":
app.filter('unsafe', function($sce) { return $sce.trustAsHtml; });
I've seen as well, that for some reason, angular will execute Javascript code embed inside an HTML structure, such as:
<a onmouseover="alert('This works fine')" href="">works</a>
But in the other hand:
<script type="text/javascript">alert('This will not work');</script>
I'm using Angular 1.5.7 and Angular Sanitize 1.4.8, from the CDN
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.5.7/angular.min.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular-sanitize.js"></script>
Module properly loaded into the Angular app:
var app = angular.module('resonador', ['ngSanitize']);
