bug(icon): validation method does not properly check attributes starting with 'on'

Prerequisites

• I have read the Contributing Guidelines.
• I agree to follow the Code of Conduct.
• I have searched for existing issues that already report this problem, without success.

Ionic Framework Version

• v4.x
• v5.x
• v6.x
• Nightly

Current Behavior

I found a bug related to the icon sanitize method that could affect the security of the component.

Basically, in the isValid method, where you should check that no attribute starts with on, what actually happens is that the value is checked and not the name of the attribute itself. In this way, as shown below, you could render an icon that on click triggers a function:

I would also suggest, as you can see from the image above, to add two new icons to show in the “Sanitized (shouldn’t show)” and “Not Sanitized (should show)” sections (e.g. sanitize-attr.svg and no-sanitize-attr.svg).

Expected Behavior

The validation method should properly check attributes starting with ‘on’ on the icons.

Steps to Reproduce

Add to an svg any attribute starting with ‘on’ (e.g. ‘onclick’).

Code Reproduction URL

No response

Ionic Info

Ionic:

Ionic CLI : 6.20.1

Utility:

cordova-res : not installed globally native-run : not installed globally

System:

NodeJS : v18.7.0 npm : 8.15.0 OS : macOS Monterey

Additional Information

I’ve already opened an issue in the ion-icon repo: https://github.com/ionic-team/ionicons/issues/1088. There is also a PR to fix the problem: https://github.com/ionic-team/ionicons/pull/1087.