|
| 1 | + |
| 2 | +/** |
| 3 | + * @ngdoc object |
| 4 | + * @name ui.router.util.$templateFactoryProvider |
| 5 | + * |
| 6 | + * @description |
| 7 | + * Provider for $templateFactory. Manages which template-loading mechanism to |
| 8 | + * use, and will default to the most recent one ($templateRequest on Angular |
| 9 | + * versions starting from 1.3, $http otherwise). |
| 10 | + */ |
| 11 | +function $TemplateFactoryProvider() { |
| 12 | + var shouldUnsafelyUseHttp = angular.version.minor < 3; |
| 13 | + |
| 14 | + /** |
| 15 | + * @ngdoc function |
| 16 | + * @name ui.router.util.$templateFactoryProvider#shouldUnsafelyUseHttp |
| 17 | + * @methodOf ui.router.util.$templateFactoryProvider |
| 18 | + * |
| 19 | + * @description |
| 20 | + * Forces $templateFactory to use $http instead of $templateRequest. This |
| 21 | + * might cause XSS, as $http doesn't enforce the regular security checks for |
| 22 | + * templates that have been introduced in Angular 1.3. Note that setting this |
| 23 | + * to false on Angular older than 1.3.x will crash, as the $templateRequest |
| 24 | + * service (and the security checks) are not implemented on these versions. |
| 25 | + * |
| 26 | + * See the $sce documentation, section |
| 27 | + * <a href="https://docs.angularjs.org/api/ng/service/$sce#impact-on-loading-templates"> |
| 28 | + * Impact on loading templates</a> for more details about this mechanism. |
| 29 | + * |
| 30 | + * @param {boolean} value |
| 31 | + */ |
| 32 | + this.shouldUnsafelyUseHttp = function(value) { |
| 33 | + shouldUnsafelyUseHttp = !!value; |
| 34 | + }; |
| 35 | + |
| 36 | + /** |
| 37 | + * @ngdoc object |
| 38 | + * @name ui.router.util.$templateFactory |
| 39 | + * |
| 40 | + * @requires $http |
| 41 | + * @requires $templateCache |
| 42 | + * @requires $injector |
| 43 | + * |
| 44 | + * @description |
| 45 | + * Service. Manages loading of templates. |
| 46 | + */ |
| 47 | + this.$get = ['$http', '$templateCache', '$injector', function($http, $templateCache, $injector){ |
| 48 | + return new $TemplateFactory($http, $templateCache, $injector, shouldUnsafelyUseHttp);}]; |
| 49 | +} |
| 50 | + |
| 51 | + |
1 | 52 | /** |
2 | 53 | * @ngdoc object |
3 | 54 | * @name ui.router.util.$templateFactory |
|
9 | 60 | * @description |
10 | 61 | * Service. Manages loading of templates. |
11 | 62 | */ |
12 | | -$TemplateFactory.$inject = ['$http', '$templateCache', '$injector']; |
13 | | -function $TemplateFactory( $http, $templateCache, $injector) { |
| 63 | +function $TemplateFactory($http, $templateCache, $injector, shouldUnsafelyUseHttp) { |
14 | 64 |
|
15 | 65 | /** |
16 | 66 | * @ngdoc function |
@@ -83,7 +133,7 @@ function $TemplateFactory( $http, $templateCache, $injector) { |
83 | 133 | if (isFunction(url)) url = url(params); |
84 | 134 | if (url == null) return null; |
85 | 135 | else { |
86 | | - if($injector.has && $injector.has('$templateRequest')) { |
| 136 | + if(!shouldUnsafelyUseHttp) { |
87 | 137 | return $injector.get('$templateRequest')(url); |
88 | 138 | } else { |
89 | 139 | return $http |
@@ -111,6 +161,6 @@ function $TemplateFactory( $http, $templateCache, $injector) { |
111 | 161 | this.fromProvider = function (provider, params, locals) { |
112 | 162 | return $injector.invoke(provider, null, locals || { params: params }); |
113 | 163 | }; |
114 | | -} |
| 164 | +}; |
115 | 165 |
|
116 | | -angular.module('ui.router.util').service('$templateFactory', $TemplateFactory); |
| 166 | +angular.module('ui.router.util').provider('$templateFactory', $TemplateFactoryProvider); |
0 commit comments