holmesal
commented
10 years ago Done, moved to using the ng-sanitize linky filter
Closed holmesal closed 10 years ago
holmesal
commented
10 years ago Done, moved to using the ng-sanitize linky filter
Ya doofus.
Sending the message
<script type="text/javascript">alert("hi matt")</script>executes said code in the browser, because $sce has trusted message text as a valid HTML source. Need to do something smarter instead.