javascript - How is concatenating urls in templates in angular less secure than in other locations? -


I have an angular railway template, which looks like this: 

  & lt; Img ng: src = "/ resources / {{id}} / thumbnail" />   
 However this is the result in one. Unlike this template:  
  & lt; Img ng: src = "{{fullUrl}}" />   
 Or even:  
  & lt; Img ng: src = "{{id | createThumbnailURL}}" / & gt;   
 (Where createThumbnailURL is a simple filter that processes the same process as above) works perfectly well.  
 The documentation says:  
 
 The conjunction expression makes it difficult to argue that some combination of conceptualized valuation is unsafe to use and can easily be XSS Are there.   
 OK, always a constant url included, I see point there though it is not extraordinary for me that they are REST-APIs that have URLs that are created by simple containment And it should be merged  somehwere  I can do it in the controller or even server side, but  how to insert any other place Finds improvements?  And  What is the suggestion of dealing with this problem?   
  UPDATE   
 There is a demo for this error:  
 It may be that the page is XML .  
 
  This is called SCE (strict referencing escoding):  Like many "hardness" modes, this configuration Eligible but as V 1.2 it is automatically set to true.  
 More specifically refers to angular weak (like URL) in references, where there is permission for short interpolation (hardness). Your URL termination is being "synthesized"  
 You already know about this reason:   XSS attacks   use it to protect the developer Also used: Some incorrect urls can cause data removal or overwriting.  
 Why are you probably confused that the complete string is <0> ng: src = "{{fullUrl}}"  is more secure than string combination  ng: src = "/ Resources / {{id}} / thumbnail ". TBH, I'm not sure there is any serious difference, but these decisions are call.  
  1)  ,  } / <>   
  2)  If you type  
  angular.module ('myApp') If you choose, you can disable SEC on your application. Config (function ($ sceProvider) {$ sceProvider.enabled (false);});   
 
  Correction:   
 You can not call the $ sce service from the instruction. Only $ Scope service is available directly but you can use a function (or a function  
  $ scope.createUrl = function (strName) {var truststrings = '/ resources /' + strName + '/ thumbnail'; return truststring;} < / Code>  
 and your directive  
   & gt;   
 In this case, if you wrap your inclusion in a function, then even after breaking the SEC rule you will not need to deactivate it.

Comments

Post a Comment

Popular posts from this blog

c - Mpirun hangs when mpi send and recieve is put in a loop -

I was trying to use the program to use mifrewan on 4 node clusters. Distributing node 0 data in nodes 1, 2 and 3. In the program, from '90 'to variable values ​​of' dior 'to be calculated. Therefore the node is distributing data and collecting results in an omitted fashion (for different values ​​of var 'dir') when do {*******} Whereas (dir Loop is given, Mippun is hanging, and no output is found. But when I comment on two {*******} (dir The loop output is obtained for the initial value of variable dir dir = -90 ), and that output is correct. The problem occurs when the loop is given. Can anyone help me in solving this problem. #include "mpi.h" int main (int argc, char * argv []) Float dir = -90; Int rank, nanoprakash; MPI_Status status; MPI_Init (& amp; argc, & argv); MPI_Comm_rank (MPI_COMM_WORLD, & amp; Rank); MPI_Comm_size (MPI_COMM_WORLD, & amp; numprocs); If (rank == 0) {/ / data to begin / / (dest = 1; dest ...
Read more

python - Apply coupon to a customer's subscription based on non-stripe related actions on the site -

I can not find anything in the source about using coupons after subscribing to a user's plan. Is it possible to use a coupon to credit a user's membership after initial subscription? If not, what is the best option? Specifically, I want to give a user 100% coupon for that month, when they take 5 [site specific actions]. This is possible, but may not be the best idea. Coupons are currently applied to the stripe, then apply again at the customer level and each client can have a single coupon. So if you are already offering discounts to the coupon, then the customer who is currently in the present will also give up. It also means that if you are using a recently-added multiple subscription capacity, then all of the user's subscription will be ready for the month. Coupons can be set to "Once", only once (as the only name) can be used by any customer, so if this credit can earn more than once, You will have to maintain a 100% discount coupon continuousl...
Read more

java - Unable to get JDBC connection in Spring application to MySQL -

मैंने स्प्रिंग में डीबी कॉन्फ़िगरेशन का पालन किया है: & lt; bean id = "dataSource" Class = "org.apache.commons.dbcp.BasicDataSource" नष्ट-विधि = "बंद" & gt; & Lt; प्रॉपर्टी नाम = "url" मान = "jdbc: dburl" / & gt; & Lt; संपत्ति नाम = "driverClassName" मान = "com.mysql.jdbc.Driver" / & gt; & Lt; संपत्ति नाम = "उपयोगकर्ता नाम" मान = "उपयोगकर्ता नाम" / & gt; & Lt; संपत्ति नाम = "पासवर्ड" मान = "पासवॉर्फ" / & gt; & Lt; प्रॉपर्टी नाम = "हटाए गए हटाए गए" मान = "सही" / & gt; & Lt; गुण नाम = "प्रारंभिक आकार" मान = "3" / & gt; & Lt; संपत्ति नाम = "अधिकतमअक्टिव" मान = "5" / & gt; & Lt; / सेम ​​& gt; डीबी से गुण मूल्यों को लोड करने के लिए अतिरिक्त कॉन्फ़िगरेशन। & lt; bean id = "config1" class = "org.apache.commons.configuration....
Read more