Improve this Doc View Source $sceDelegate
- $sceDelegateProvider
- service in module ng
Overview
$sceDelegate
is a service that is used by the $sce
service to provide Strict Contextual Escaping (SCE) services to AngularJS.
For an overview of this service and the functionnality it provides in AngularJS, see the main page for SCE. The current page is targeted for developers who need to alter how SCE works in their application, which shouldn't be needed in most cases.
Typically, you would configure or override the $sceDelegate instead of the $sce
service to customize the way Strict Contextual Escaping works in AngularJS. This is because, while the $sce
provides numerous shorthand methods, etc., you really only need to override 3 core functions (trustAs
, getTrusted
and valueOf
) to replace the way things work because $sce
delegates to $sceDelegate
for these operations.
Refer $sceDelegateProvider to configure this service.
The default instance of $sceDelegate
should work out of the box with little pain. While you can override it completely to change the behavior of $sce
, the common case would involve configuring the $sceDelegateProvider instead by setting your own whitelists and blacklists for trusting URLs used for loading AngularJS resources such as templates. Refer $sceDelegateProvider.resourceUrlWhitelist and $sceDelegateProvider.resourceUrlBlacklist
Usage
$sceDelegate();
Methods
-
trustAs(type, value);
Returns a trusted representation of the parameter for the specified context. This trusted object will later on be used as-is, without any security check, by bindings or directives that require this security context. For instance, marking a string as trusted for the
$sce.HTML
context will entirely bypass the potential$sanitize
call in corresponding$sce.HTML
bindings or directives, such asng-bind-html
. Note that in most cases you won't need to call this function: if you have the sanitizer loaded, passing the value itself will render all the HTML that does not pose a security risk.See getTrusted for the function that will consume those trusted values, and $sce for general documentation about strict contextual escaping.
Parameters
Param Type Details type string
The context in which this value is safe for use, e.g.
$sce.URL
,$sce.RESOURCE_URL
,$sce.HTML
,$sce.JS
or$sce.CSS
.value *
The value that should be considered trusted.
Returns
*
A trusted representation of value, that can be used in the given context.
-
valueOf(value);
If the passed parameter had been returned by a prior call to
$sceDelegate.trustAs
, returns the value that had been passed to$sceDelegate.trustAs
.If the passed parameter is not a value that had been returned by
$sceDelegate.trustAs
, it must be returned as-is.Parameters
Param Type Details value *
The result of a prior
$sceDelegate.trustAs
call or anything else.Returns
*
The
value
that was originally provided to$sceDelegate.trustAs
ifvalue
is the result of such a call. Otherwise, returnsvalue
unchanged. -
getTrusted(type, maybeTrusted);
Given an object and a security context in which to assign it, returns a value that's safe to use in this context, which was represented by the parameter. To do so, this function either unwraps the safe type it has been given (for instance, a
$sceDelegate.trustAs
result), or it might try to sanitize the value given, depending on the context and sanitizer availablility.The contexts that can be sanitized are $sce.MEDIA_URL, $sce.URL and $sce.HTML. The first two are available by default, and the third one relies on the
$sanitize
service (which may be loaded through thengSanitize
module). Furthermore, for $sce.RESOURCE_URL context, a plain string may be accepted if the resource url policy defined by$sceDelegateProvider.resourceUrlWhitelist
and$sceDelegateProvider.resourceUrlBlacklist
accepts that resource.This function will throw if the safe type isn't appropriate for this context, or if the value given cannot be accepted in the context (which might be caused by sanitization not being available, or the value not being recognized as safe).
Disabling auto-escaping is extremely dangerous, it usually creates a Cross Site Scripting (XSS) vulnerability in your application.Parameters
Param Type Details type string
The context in which this value is to be used (such as
$sce.HTML
).maybeTrusted *
The result of a prior
$sceDelegate.trustAs
call, or anything else (which will not be considered trusted.)Returns
*
A version of the value that's safe to use in the given context, or throws an exception if this is impossible.
© 2010–2018 Google, Inc.
Licensed under the Creative Commons Attribution License 4.0.
https://code.angularjs.org/1.7.8/docs/api/ng/service/$sceDelegate