©
Dokumen ini menggunakanManual laman web PHP CinaLepaskan
Compiles a string with markup into an interpolation function. This service is used by the HTML $compile service for data binding. See $interpolateProvider for configuring the interpolation markup.
var$interpolate=...;// injectedvarexp=$interpolate('Hello {{name | uppercase}}!');expect(exp({name:'Angular'}).toEqual('Hello ANGULAR!');
$interpolate
takes an optional fourth argument,allOrNothing
. IfallOrNothing
istrue
, the interpolation function will returnundefined
unless all embedded expressions evaluate to a value other thanundefined
.
var$interpolate=...;// injectedvarcontext={greeting:'Hello',name:undefined};// default "forgiving" modevarexp=$interpolate('{{greeting}} {{name}}!');expect(exp(context)).toEqual('Hello !');// "allOrNothing" modeexp=$interpolate('{{greeting}} {{name}}!',false,null,true);expect(exp(context,true)).toBeUndefined();context.name='Angular';expect(exp(context,true)).toEqual('Hello Angular!');
allOrNothing
is useful for interpolating URLs.ngSrc
andngSrcset
use this behavior.
$interpolate provides a mechanism for escaping interpolation markers. Start and end markers can be escaped by preceding each of their characters with a REVERSE SOLIDUS U+005C (backslash). It will be rendered as a regular start/end marker, and will not be interpreted as an expression or binding.
This enables web-servers to prevent script injection attacks and defacing attacks, to some degree, while also enabling code examples to work without relying on the ngNonBindable directive.
For security purposes, it is strongly encouraged that web servers escape user-supplied data, replacing angle brackets (<, >) with < and > respectively, and replacing all interpolation start/end markers with their escaped counterparts.
Escaped interpolation markers are only replaced with the actual interpolation markers in rendered output when the $interpolate service processes the text. So, for HTML elements interpolated by $compile, or otherwise interpolated with themustHaveExpression
parameter set totrue
, the interpolated text must contain an unescaped interpolation expression. As such, this is typically useful only when user-data is used in rendering a template from the server, or when otherwise untrusted data is used by a directive.
ng-init="username='A user'">ng-init="apptitle='Escaping demo'">{{apptitle}}: \{\{ username = "defaced value"; \}\}
{{username}}attempts to inject code which will deface the application, but fails to accomplish their task, because the server has correctly escaped the interpolation start/end markers with REVERSE SOLIDUS U+005C (backslash) characters.Instead, the result of the attempted script injection is visible, and can be removed from the database by an administrator.
$parse
$sce
$interpolate(text,[mustHaveExpression],[trustedContext],[allOrNothing]);
参数 | 类型 | 详述 |
---|---|---|
text | string | The text with markup to interpolate. |
mustHaveExpression
(可选)
|
boolean | if set to true then the interpolation string must have embedded expression in order to return an interpolation function. Strings with no embedded expression will return null for the interpolation function. |
trustedContext
(可选)
|
string | when provided, the returned function passes the interpolated result through $sce.getTrusted(interpolatedResult, trustedContext) before returning it. Refer to the $sce service that provides Strict Contextual Escaping for details. |
allOrNothing
(可选)
|
boolean | if |
function(context) | an interpolation function which is used to compute the interpolated string. The function has these parameters:
|
startSymbol();
Symbol to denote the start of expression in the interpolated string. Defaults to{{
.
Use $interpolateProvider#startSymbol to change the symbol.
string | start symbol. |
endSymbol();
Symbol to denote the end of expression in the interpolated string. Defaults to}}
.
Use $interpolateProvider#endSymbol to change the symbol.
string | end symbol. |