Closed holmesal closed 10 years ago
Ya doofus.
Sending the message <script type="text/javascript">alert("hi matt")</script> executes said code in the browser, because $sce has trusted message text as a valid HTML source. Need to do something smarter instead.
<script type="text/javascript">alert("hi matt")</script>
Done, moved to using the ng-sanitize linky filter
Ya doofus.
Sending the message
<script type="text/javascript">alert("hi matt")</script>
executes said code in the browser, because $sce has trusted message text as a valid HTML source. Need to do something smarter instead.