Improve this Doc  View Source

$sceDelegate

  1. - $sceDelegateProvider
  2. - service in module ng

$sceDelegate is a service that is used by the $sce service to provide Strict Contextual Escaping (SCE) services to AngularJS.

Typically, you would configure or override the $sceDelegate instead of the $sce service to customize the way Strict Contextual Escaping works in AngularJS. This is because, while the $sce provides numerous shorthand methods, etc., you really only need to override 3 core functions (trustAs, getTrusted and valueOf) to replace the way things work because $sce delegates to $sceDelegate for these operations.

Refer $sceDelegateProvider to configure this service.

The default instance of $sceDelegate should work out of the box with little pain. While you can override it completely to change the behavior of $sce, the common case would involve configuring the $sceDelegateProvider instead by setting your own whitelists and blacklists for trusting URLs used for loading AngularJS resources such as templates. Refer $sceDelegateProvider.resourceUrlWhitelist and $sceDelegateProvider.resourceUrlBlacklist

Usage

$sceDelegate();

Methods

  • trustAs(type, value);

    Returns an object that is trusted by angular for use in specified strict contextual escaping contexts (such as ng-bind-html, ng-include, any src attribute interpolation, any dom event binding attribute interpolation such as for onclick, etc.) that uses the provided value. See $sce for enabling strict contextual escaping.

    Parameters

    Param Type Details
    type string

    The kind of context in which this value is safe for use. e.g. url, resourceUrl, html, js and css.

    value *

    The value that that should be considered trusted/safe.

    Returns

    *

    A value that can be used to stand in for the provided value in places where Angular expects a $sce.trustAs() return value.

  • valueOf(value);

    If the passed parameter had been returned by a prior call to $sceDelegate.trustAs, returns the value that had been passed to $sceDelegate.trustAs.

    If the passed parameter is not a value that had been returned by $sceDelegate.trustAs, returns it as-is.

    Parameters

    Param Type Details
    value *

    The result of a prior $sceDelegate.trustAs call or anything else.

    Returns

    *

    The value that was originally provided to $sceDelegate.trustAs if value is the result of such a call. Otherwise, returns value unchanged.

  • getTrusted(type, maybeTrusted);

    Takes the result of a $sceDelegate.trustAs call and returns the originally supplied value if the queried context type is a supertype of the created type. If this condition isn't satisfied, throws an exception.

    Disabling auto-escaping is extremely dangerous, it usually creates a Cross Site Scripting (XSS) vulnerability in your application.

    Parameters

    Param Type Details
    type string

    The kind of context in which this value is to be used.

    maybeTrusted *

    The result of a prior $sceDelegate.trustAs call.

    Returns

    *

    The value the was originally provided to $sceDelegate.trustAs if valid in this context. Otherwise, throws an exception.