9

I created 2 filters in AngularJS autolink and nl2br.

autolink: converts a URL string to an <a> tag with the attributes rel="nofollow" target="_blank". I tried using ngSanitize with the linky filter, but it doesn't add the 2 attributes above to it, nor does it provide a way to do it with the exising API.

nl2br: converts new lines to <br> tags.

I want to apply these 2 filters to {{ comment }} using {{ comment | autolink | nl2br }} in my HTML, but the filters are applied before AngularJS does the HTML escaping which results in the <a> and <br> to be escaped as well. Basically, I want to apply the filters after the escaping took place.

Is there a way to do this with AngularJS?

Improve this question

1 Answer 1

Reset to default
13

If you have a standard interpolation in your HTML, Angular will escape it:

<div> {{ var | filter1 | filter2 }} </div>

The result of the whole expression will be escaped.

What you want is ng-bind-html-unsafe (docs here). You can expression basically the same thing as above as:

<div ng-bind-html-unsafe='var | filter1 | filter2'></div>

Now the result of the expression won't be sanitized, and will be inserted as the contents of the div.

EDIT: Note that there's also ng-bind-html, which will still produce HTML, but will sanitize it first ($sanitize docs).

ng-bind-html lives in the ngSanitize module, so you'll have to make sure that you've declared it as a dependency in your angular.module call.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

But I want the comment, in my case, to be escaped; with the 2 filters applied after the escaping.
Ah, then use ng-bind-html instead of ng-bing-html-unsafe. I've added that to the answer.
I did do that as stated in my original post. But I want everything escaped THEN apply my filters. ng-bind-html will safely escape some HTML and will leave some basic html tags alone. Also with ng-bind-html, it will remove the href attribute that I am defining with my autolink filter.
ng-bind-html is different from using curly braces. See jsfiddle.net/GqNxT - the href isn't stripped.
Ok, last try, as I think you're misunderstanding me. (1) have some data in $scope.comment. (2). inject $sanitize and sanitize just the comment $scope.sanitizedComment = $sanitize(@scope.comment). (3) Use sanitizedComment in your HTML <div ng-bind-html-unsafe='sanitizedComment | autolink | nl2br></div>. That way you only sanitize the comment, then the filters are applied unsafely, as-is, with ng-bind-html-unsafe.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.