From dd02891c4916410b3aa12018b483daf00a0f4c1f Mon Sep 17 00:00:00 2001
From: danieljsinclair <daniel.sinclair@axxiant.com>
Date: Wed, 14 May 2014 16:37:31 +0100
Subject: [PATCH] avoid bypassing xss protection

element.html() sets the raw value directly in the dom which seems to bypass the built-in $sce protection one would normally get with a built-in directive. This seems dangerous to promote as an example.
---
 src/ng/directive/input.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/ng/directive/input.js b/src/ng/directive/input.js
index 0c7664e1d02e..69e39c257fad 100644
--- a/src/ng/directive/input.js
+++ b/src/ng/directive/input.js
@@ -1481,7 +1481,7 @@ var VALID_CLASS = 'ng-valid',
     </file>
     <file name="script.js">
       angular.module('customControl', []).
-        directive('contenteditable', function() {
+        directive('contenteditable', ['$sce', function($sce) {
           return {
             restrict: 'A', // only activate on element attribute
             require: '?ngModel', // get a hold of NgModelController
@@ -1490,7 +1490,7 @@ var VALID_CLASS = 'ng-valid',
 
               // Specify how UI should be updated
               ngModel.$render = function() {
-                element.html(ngModel.$viewValue || '');
+                element.html($sce.getTrustedHtml(ngModel.$viewValue || ''));
               };
 
               // Listen for change events to enable binding
@@ -1511,7 +1511,7 @@ var VALID_CLASS = 'ng-valid',
               }
             }
           };
-        });
+        }]);
     </file>
     <file name="index.html">
       <form name="myForm">