- $sceDelegateProvider
- service in module ng
$sceDelegate
is a service that is used by the $sce
service to provide Strict Contextual Escaping (SCE) services to AngularJS.
Typically, you would configure or override the $sceDelegate instead of the $sce
service to customize the way Strict Contextual Escaping works in AngularJS. This is because, while the $sce
provides numerous shorthand methods, etc., you really only need to override 3 core functions (trustAs
, getTrusted
and valueOf
) to replace the way things work because $sce
delegates to $sceDelegate
for these operations.
Refer $sceDelegateProvider to configure this service.
The default instance of $sceDelegate
should work out of the box with little pain. While you can override it completely to change the behavior of $sce
, the common case would involve configuring the $sceDelegateProvider instead by setting your own whitelists and blacklists for trusting URLs used for loading AngularJS resources such as templates. Refer $sceDelegateProvider.resourceUrlWhitelist and $sceDelegateProvider.resourceUrlBlacklist
Usage
$sceDelegate();
Methods
-
trustAs(type, value);
Returns an object that is trusted by angular for use in specified strict contextual escaping contexts (such as ng-bind-html, ng-include, any src attribute interpolation, any dom event binding attribute interpolation such as for onclick, etc.) that uses the provided value. See $sce for enabling strict contextual escaping.
Parameters
Param Type Details type string
The kind of context in which this value is safe for use. e.g. url, resourceUrl, html, js and css.
value *
The value that that should be considered trusted/safe.
Returns
*
A value that can be used to stand in for the provided
value
in places where Angular expects a $sce.trustAs() return value. -
valueOf(value);
If the passed parameter had been returned by a prior call to
$sceDelegate.trustAs
, returns the value that had been passed to$sceDelegate.trustAs
.If the passed parameter is not a value that had been returned by
$sceDelegate.trustAs
, returns it as-is.Parameters
Param Type Details value *
The result of a prior
$sceDelegate.trustAs
call or anything else.Returns
*
The
value
that was originally provided to$sceDelegate.trustAs
ifvalue
is the result of such a call. Otherwise, returnsvalue
unchanged. -
getTrusted(type, maybeTrusted);
Takes the result of a
$sceDelegate.trustAs
call and returns the originally supplied value if the queried context type is a supertype of the created type. If this condition isn't satisfied, throws an exception.Disabling auto-escaping is extremely dangerous, it usually creates a Cross Site Scripting (XSS) vulnerability in your application.Parameters
Param Type Details type string
The kind of context in which this value is to be used.
maybeTrusted *
The result of a prior
$sceDelegate.trustAs
call.Returns
*
The value the was originally provided to
$sceDelegate.trustAs
if valid in this context. Otherwise, throws an exception.
Please login to continue.