Use angular's $sanitize to prevent XSS

Addresses showdownjs#70 at least within angular.
wkonkel · Apr 22, 2015 · 2b2eb97 · 2b2eb97
1 parent eca8386
commit 2b2eb97
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/src/ng-showdown.js b/src/ng-showdown.js
@@ -10,7 +10,7 @@ if (typeof angular !== 'undefined'  && typeof Showdown !== 'undefined') {
 
         module
             .provider('$Showdown', provider)
-            .directive('sdModelToHtml', ['$Showdown', markdownToHtmlDirective])
+            .directive('sdModelToHtml', ['$Showdown', '$sanitize', markdownToHtmlDirective])
             .filter('sdStripHtml', stripHtmlFilter);
 
         /**
@@ -106,13 +106,13 @@ if (typeof angular !== 'undefined'  && typeof Showdown !== 'undefined') {
          * @param $Showdown
          * @returns {*}
          */
-        function markdownToHtmlDirective($Showdown) {
+        function markdownToHtmlDirective($Showdown, $sanitize) {
 
             var link = function (scope, element) {
                 scope.$watch('model', function (newValue) {
                     var val;
                     if (typeof newValue === 'string') {
-                        val = $Showdown.makeHtml(newValue);
+                        val = $sanitize($Showdown.makeHtml(newValue));
                     } else {
                         val = typeof newValue;
                     }
@@ -140,7 +140,7 @@ if (typeof angular !== 'undefined'  && typeof Showdown !== 'undefined') {
             };
         }
 
-    })(angular.module('Showdown', []), Showdown);
+    })(angular.module('Showdown', ['ngSanitize']), Showdown);
 
 } else {