有关的一个问题 NG-绑定-HTML ，而从升级的1.0.8角应用1.2.8：

我已经存储在一个名为 en_GB.json ， fr_FR.json 文件的语言环境字符串，等等。到目前为止，我已经允许的区域设置字符串中使用HTML来让团队编写本地化的内容应用基本样式或添加内联锚标记。这将导致在下面的例子中的JSON

  {  changesLater：＆LT;强＆GT;不要忘记＆LT; / STRONG＆GT;也可以随时进行更改后。  errorEmailExists：该电子邮件地址已经存在，请＆lt; A HREF = \\登录\\＆GT; LT登录＆; / A＆gt;到继续下去。} 

在使用这些字符串与 NG-绑定-HTML =myStr的，我知道我现在需要使用 $ sce.trustAsHtml（ myStr中）。我甚至可以写一个过滤器在这个建议StackOverflow的答案这将导致使用 NG-绑定-html =myStr的|不安全。

问题：

将做这样的事情，是我的应用程序现在没有安全感？如果是这样，怎么攻击者可能利用此？我可以理解潜在的漏洞，如果显示的HTML字符串的来源是用户（即博客的风格后的评论将被显示给其他用户），但将我的应用程序真正处于危险之中，如果我只显示从托管在同一域的JSON文件的HTML？有没有我应该寻找实现的角度应用外部加载的内容字符串的标记相关的任何其他方式？解决方案

你最好不要让你的应用程序的安全性较低。你已经在你的页面纳克绑定-HTML不安全的旧方法插入HTML。你还在做同样的事情，除了现在你必须明确地信任HTML的源，而不仅仅是指定的模板可输出原始HTML的一部分。需要使用$ SCE使得它很难从不受信任的来源意外地接受原始的HTML - 在旧的方法，其中只宣布在模板的信任，错误的输入可能会使它的方式进入你的模型，你没有想办法

如果内容来自您的域名，或你控制的域，然后你是安全的 - 至少是安全的，因为你可以。如果有人在某种程度上能够从你自己的域名劫持响应的有效载荷，那么你的安全已经是拧紧所有的方式。但是请注意，你绝对应该的不可以以往任何时候都调用$ sce.trustAsHtml对来自该域中的内容不是你的。

除了维护的担忧，我看不出有什么毛病你这样做的方式。有一吨的HTML住在一个JSON文件可能不理想，但只要标记是合理的语义，而不是太密，我认为这是很好。如果标记变得显著更加复杂，可以根据需要，而不是试图管理一群标记包裹在JSON字符串，我会考虑它拆分成单独的角模板文件或指令。

A question regarding ng-bind-html whilst upgrading an Angular app from 1.0.8 to 1.2.8:

I have locale strings stored in files named en_GB.json, fr_FR.json, etc. So far, I have allowed the use of HTML within the locale strings to allow the team writing the localized content to apply basic styling or adding inline anchor tags. This would result in the following example JSON:

{
  "changesLater":     "<strong>Don't forget</strong> that you can always make changes later." 
  "errorEmailExists": "That email address already exists, please <a href=\"login\">sign in</a> to continue."
}

When using these strings with ng-bind-html="myStr", I understand that I now need to use $sce.trustAsHtml(myStr). I could even write a filter as suggested in this StackOverflow answer which would result in using ng-bind-html="myStr | unsafe".

Questions:

By doing something like this, is my app now insecure? And if so, how might an attacker exploit this? I can understand potential exploits if the source of the displayed HTML string was a user (ie. blog post-style comments that will be displayed to other users), but would my app really be at risk if I'm only displaying HTML from a JSON file hosted on the same domain? Is there any other way I should be looking to achieve the marking-up of externally loaded content strings in an angular app?

解决方案

You are not making your app any less secure. You were already inserting HTML in your page with the old method of ng-bind-html-unsafe. You are still doing the same thing, except now you have to explicitly trust the source of the HTML rather than just specifying that part of your template can output raw HTML. Requiring the use of $sce makes it harder to accidentally accept raw HTML from an untrusted source - in the old method where you only declared the trust in the template, bad input might make its way into your model in ways you didn't think of.

If the content comes from your domain, or a domain you control, then you're safe - at least as safe as you can be. If someone is somehow able to highjack the payload of a response from your own domain, then your security is already all manner of screwed. Note, however, you should definitely not ever call $sce.trustAsHtml on content that comes from a domain that isn't yours.

Apart from maintainability concerns, I don't see anything wrong with the way you're doing it. Having a ton of HTML live in a JSON file is maybe not ideal, but as long as the markup is reasonably semantic and not too dense, I think it's fine. If the markup becomes significantly more complex, I'd consider splitting it into separate angular template files or directives as needed, rather than trying to manage a bunch of markup wrapped in JSON strings.