Kevin Hakans..
5
让我们从重构你的内容开始,logEntry将interpolateParams分开
var translationId = 'Log.' + msg.context.entity_type) + '.' + msg.context.action;
var interpolateParams = {
'object_name': msg.context.object_name,
'user': msg.context.user_name
};
var translated = $translate(translationId, interpolateParams);
return $sce.trustAsHtml(translated);
您想要从中转义所有HTML,interpolateParams但在翻译模板中保留任何HTML.使用此代码复制对象,迭代其值并替换为转义的HTML.
var safeParams = angular.copy(interpolateParams);
angular.forEach(safeParams, function(value, key, obj) {
obj[key] = encodeEntities(value)
// if you want safe/sanitized HTML, use this instead
// obj[key] = $sanitize(value);
});
var translated = $translate(translationId, safeParams);
最后,encodeEntitiesangular 的功能没有暴露,因此我们不得不从angular-sanitize.js借用源代码
var SURROGATE_PAIR_REGEXP = /[\uD800-\uDBFF][\uDC00-\uDFFF]/g,
// Match everything outside of normal chars and " (quote character)
NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g;
function encodeEntities(value) {
return value.
replace(/&/g, '&').
replace(SURROGATE_PAIR_REGEXP, function(value) {
var hi = value.charCodeAt(0);
var low = value.charCodeAt(1);
return '' + (((hi - 0xD800) * 0x400) + (low - 0xDC00) + 0x10000) + ';';
}).
replace(NON_ALPHANUMERIC_REGEXP, function(value) {
return '' + value.charCodeAt(0) + ';';
}).
replace(/
replace(/>/g, '>');
}
更新:更新为angular-translate 2.7.0后出现此消息:
pascalprecht.translate.$ translateSanitization:未配置清理策略.这可能会产生严重的安全隐患.有关详细信息,请参见
http://angular-translate.github.io/docs/#/guide/19_security.
Sp代替trustlate上面的答案,angular-translate可以完成相同的结果:
$translateProvider.useSanitizeValueStrategy('escapeParameters');
有关更多Sanitize Value Strategies的信息,请参阅文档
