我使用 ngSanitize 在一个AngularJS应用程序删除不需要的或危险的部分。然而，使用HTML富文本编辑器生成的内容和包含一些风格信息，该信息获取删除（例如，文本颜色）。

I am using ngSanitize in an AngularJS application to remove unwanted or dangerous parts. However, the content is generated using an HTML Richtext editor and contains some style information, which gets removed (e.g. the text color).

我知道，这是去除内联CSS样式是有用的，但我会preFER一个的白名单的与没有得到删除CSS属性。有没有办法实现这个而不授予所有的CSS属性？

I know that it is useful to remove inlined CSS styles, but I would prefer a whitelist with CSS attributes that do not get removed. Is there a way to achieve this without granting all CSS attributes?

推荐答案

阅读为ngSanitize的文档，它看起来好像使用两个白名单来确定哪些数据来阻止（的这里描述，在 $ compileProvider ）。

Reading the documentation for ngSanitize, it looks as though it uses two whitelists to determine what data to block (described here, in $compileProvider).

二白名单 aHrefSanitizationWhitelist（[正则表达式]）和 imgSrcSanitizationWhitelist（[正则表达式]）。但是，它看起来好像这两个只能处理的URL的链接，prevent XSS攻击。

The two whitelists are aHrefSanitizationWhitelist([regexp]) and imgSrcSanitizationWhitelist([regexp]). However, it looks as though these two only handle URLs for links to prevent XSS attacks.

您可以使用 sce.trustAsHtml（）（或可能的话，数据绑定H​​TML的不安全如果这仍然是一个事情，但我认为这是pcated德$ p $），但是，这不是正是你想要的;这将打开你到所有的HTML，安全或不安全的。

You can use sce.trustAsHtml() (or, possibly, data-bind-html-unsafe if that's still a thing, but I think that's deprecated) but that's not exactly what you want; that would open you up to all HTML, safe or unsafe.

这可能是值得检查出文档 $ SCE 。看它到目前为止，有转义CSS一种选择，但我不知道是否会在HTML标记逃脱内联CSS。到目前为止，我没有看到选项提供了一个白名单的 parseAs 方法。

It might be worth it to check out the documentation for $sce. Looking at it so far, there's an option for escaping CSS, but I'm not sure if it would escape inline CSS in an HTML tag. So far, I see no options for providing a whitelist to the parseAs method.

编辑：

翻翻 $消毒的来源$ C ​​$ C ，它看起来好像它被设置为允许风格的东西的标签的，而不是风格的属性的。样式属性将被sanitize方法，除非更改源$ C ​​$ C获得剥夺。类，但是，没有得到剥离，所以你可能有一个解决方法那里。 （事实上​​，允许类和不内嵌样式，你都不可能限制你的评论部分风格的用法。）

Looking through the $sanitize source code, it looks as though it's set to allow stuff in style tags, but not style attributes. Style attributes will get stripped by sanitize unless you change the source code. Classes, however, don't get stripped, so you may have a workaround there. (In fact, by allowing classes and not inline styles, you can possibly restrict style usage in your comments section.)

唯一的其他选择是推出自己的，现在看来，除非有人已经拥有了。

The only other alternative would be to roll your own, it seems, unless someone already has.