{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 小情绪 Triste * 的问题《iframe not working in AngularJS 1.3.0》','https://www.manongdao.com/q-1103701.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm new to web dev. I'm using AngularJS 1.3.0. When I try using {{ things[0].embed }} to insert the embedded source video link from my database, nothing is displayed, but hardcoding the link, for example "//www.youtube.com/embed/wZZ7oFKsKzY", works. Is there something that I'm missing? Am I misusing the scope somehow? Here's another example of what I'm trying to do. If you replace the {{thing[0].embed}} with the youtube link, it works. Why doesn't it replace the {{thing[0].embed}} with the link? http://plnkr.co/edit/Udml7NIyWcUuMtYGDXNc?p=preview
//myCore.js
var coreControl = angular.module('myCore', []);
function mainController($scope, $http) {
$scope.formData = {};
$http.get('*')
.success(function(data) {
$scope.things = data;
console.log(data);
})
.error(function(data) {
console.log('Error: ' + data);
});
$scope.doThings = function() {
$http.post('*', $scope.formData)
.success(function(data) {
$scope.formData = {};
$scope.things = data;
console.log(data);
})
.error(function(data) {
console.log('Error: ' + data);
});
};
}
//index.html
<div ng-if="moves.length==1" class="col-sm-4 col-sm-offset-4">
<h1> {{ things[0].name }} </h1>
<iframe width="560" height="315" ng-src="{{ things[0].embed }}" frameborder="0" allowfullscreen></iframe>
{{ things[0].embed }}
</div>
I know I joined the party late (again), but there you go:
Strict Conceptual Escaping (SCE) is an important concept in Angular should not be taken light-heartedly (if you care about the security of your app).
It is important to understand wht it means and what are the implications and dangers in calling
$sce.trustAs...().This answer gives a little insight on what is SCE and why does Angular treat resources (such as URLs) the way it does.
That answer explains the importance of client-side sanitization (this is what you by-pass by calling
$sce.trustAs...()unless you are 100% sure that you can trust it).That said, there might be better (read "safer and more maintainable") ways to achieve the same result.
E.g.
$sceDelegateProvider(which is used by the$sceservice to decide what is secure and what isn't) provides methods to white-list/black-list resources using string-matching (with optional wildcards) or regular expressions (not recommended).For more info on how to populate your white-/black-list take a look here.
E.g. if you want your application to allow links from
www.youtube.com, you can define your white-list like this:See, also, this updated demo.
Your updated plunker
You must explicitly direct angular to trust content that could otherwise provide security holes for xss attacks. That is what the
$sce.trustResourceAsUrl()function call is for.