47

I want to bind a HTML string with an custom style to the DOM. However ngSanitize removes the style from the string.

For example:

In the controller:

$scope.htmlString = "<span style='color: #89a000'>123</span>!";

And in DOM:

<div data-ng-bind-html="htmlString"></div>

Will omit the style attribute. The result will look like:

<div data-ng-bind-html="htmlString"><span>123</span>!</div>

Instead of:

<div data-ng-bind-html="htmlString"><span style='color: #89a000'>123</span>!</div>

Question: How can I achieve this?

Improve this question

5 Answers 5

Reset to default
72

As already mentioned @Beyers, you have to use $sce.trustAsHtml(), to use it directly into the DOM, you could do it like this, JS/controller part:

$scope.trustAsHtml = function(string) {
    return $sce.trustAsHtml(string);
};

And in DOM/HTML part

<div data-ng-bind-html="trustAsHtml(htmlString)"></div>
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I tried your code with the AngularJS version 1.3.15 and it didn't work :(
I found the Chris's answer with this post and it worked perfectly. :) stackoverflow.com/questions/18340872/…
be carefull, don't use this is if the user can use the input 'string', otherwise you have an XSS
This variant is nice
51

What about custom angular filter? This works in 1.3.20 

angular.module('app.filters')
    .filter('trusted', function($sce){
        return function(html){
            return $sce.trustAsHtml(html)
        }
     })

Use it like <div ng-bind-html="model.content | trusted"></div>

Improve this answer

1 Comment

This is the better solution
13

If you trust the html, then you can use $sce.trustAsHtml to explicitly trust the html. Quick example:

In controller (remember to inject $sce into your controller):

$scope.htmlString = $sce.trustAsHtml("<span style='color: #89a000'>123</span>!");

And in DOM, same as what you had:

<div data-ng-bind-html="htmlString"></div>
Improve this answer

2 Comments

Isn't there another way? Preferably from withing the DOM itself. This one doesn't end up clean in my situation.
Apart from completely disabling $sce docs.angularjs.org/api/… (not recommended), there isn't a build-in way to handle this within the DOM itself that I'm aware of. Pretty sure you should be able to get this done writing your own custom directive.
0

You should create your own custom directive that will have the html as template or reference it with templateUrl. Within the html you can use ng-style to add an object as your style.

Here's an example: http://jsfiddle.net/tomepejo/5AsQE/

Improve this answer

Comments

0

You can use textAngular, couse ngSanitize whitelists are not flexible ( see this issues for more details: https://github.com/angular/angular.js/issues/5900)

Improve this answer

1 Comment

Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.