Overview

$sceDelegate is a service that is used by the $sce service to provide Strict Contextual Escaping (SCE) services to AngularJS.

For an overview of this service and the functionnality it provides in AngularJS, see the main page for SCE. The current page is targeted for developers who need to alter how SCE works in their application, which shouldn't be needed in most cases.

AngularJS strongly relies on contextual escaping for the security of bindings: disabling or modifying this might cause cross site scripting (XSS) vulnerabilities. For libraries owners, changes to this service will also influence users, so be extra careful and document your changes.

Typically, you would configure or override the $sceDelegate instead of the $sce service to customize the way Strict Contextual Escaping works in AngularJS. This is because, while the $sce provides numerous shorthand methods, etc., you really only need to override 3 core functions (trustAs, getTrusted and valueOf) to replace the way things work because $sce delegates to $sceDelegate for these operations.

Refer $sceDelegateProvider to configure this service.

The default instance of $sceDelegate should work out of the box with little pain. While you can override it completely to change the behavior of $sce, the common case would involve configuring the $sceDelegateProvider instead by setting your own whitelists and blacklists for trusting URLs used for loading AngularJS resources such as templates. Refer $sceDelegateProvider.resourceUrlWhitelist and $sceDelegateProvider.resourceUrlBlacklist

Usage

$sceDelegate();

Methods

`trustAs(type, value);`

Returns a trusted representation of the parameter for the specified context. This trusted object will later on be used as-is, without any security check, by bindings or directives that require this security context. For instance, marking a string as trusted for the $sce.HTML context will entirely bypass the potential $sanitize call in corresponding $sce.HTML bindings or directives, such as ng-bind-html. Note that in most cases you won't need to call this function: if you have the sanitizer loaded, passing the value itself will render all the HTML that does not pose a security risk.

See getTrusted for the function that will consume those trusted values, and $sce for general documentation about strict contextual escaping.

Parameters

Param	Type	Details
type	string	The context in which this value is safe for use, e.g. `$sce.URL`, `$sce.RESOURCE_URL`, `$sce.HTML`, `$sce.JS` or `$sce.CSS`.
value	*	The value that should be considered trusted.

Returns

*	A trusted representation of value, that can be used in the given context.

`valueOf(value);`

If the passed parameter had been returned by a prior call to $sceDelegate.trustAs, returns the value that had been passed to $sceDelegate.trustAs.

If the passed parameter is not a value that had been returned by $sceDelegate.trustAs, it must be returned as-is.

Parameters

Param	Type	Details
value	*	The result of a prior `$sceDelegate.trustAs` call or anything else.

Returns

*	The `value` that was originally provided to `$sceDelegate.trustAs` if `value` is the result of such a call. Otherwise, returns `value` unchanged.

`getTrusted(type, maybeTrusted);`

Given an object and a security context in which to assign it, returns a value that's safe to use in this context, which was represented by the parameter. To do so, this function either unwraps the safe type it has been given (for instance, a $sceDelegate.trustAs result), or it might try to sanitize the value given, depending on the context and sanitizer availablility.

The contexts that can be sanitized are $sce.MEDIA_URL, $sce.URL and $sce.HTML. The first two are available by default, and the third one relies on the $sanitize service (which may be loaded through the ngSanitize module). Furthermore, for $sce.RESOURCE_URL context, a plain string may be accepted if the resource url policy defined by $sceDelegateProvider.resourceUrlWhitelist and $sceDelegateProvider.resourceUrlBlacklist accepts that resource.

This function will throw if the safe type isn't appropriate for this context, or if the value given cannot be accepted in the context (which might be caused by sanitization not being available, or the value not being recognized as safe).

Disabling auto-escaping is extremely dangerous, it usually creates a Cross Site Scripting (XSS) vulnerability in your application.

Parameters

Param	Type	Details
type	string	The context in which this value is to be used (such as `$sce.HTML`).
maybeTrusted	*	The result of a prior `$sceDelegate.trustAs` call, or anything else (which will not be considered trusted.)

Returns

*	A version of the value that's safe to use in the given context, or throws an exception if this is impossible.