Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
feat: sanitizer bypass method
See original GitHub issueFeature Request
Ionic version:
[x] 4.x
Describe the Feature Request
We recently introduced a basic sanitizer which should help Ionic users avoid unintentional XSS vulnerabilities in their applications. Similar to Angular’s sanitizer, there exists methods to bypass the sanitize method if a user wants to do something particularly complex that the sanitizer would typically not allow.
Because our sanitizer does not allow every possible combination of markup + styling, it would be good to give users the option to bypass the sanitizer in the event that a) they are certain there are no XSS vulnerabilities (or at least, they know they are responsible for ensuring their code is safe) and b) want to do something complex that the sanitizer can’t reliably make sanitary.
Describe Preferred Solution
I would expect the sanitizer to be bypassed if it received an IonicSafeCode as input. Here is how it would look for ion-alert:
const alert = await alertController.create({
header: 'Alert',
subHeader: 'Subtitle',
message: new IonicSafeCode('<a href="https://ionicframework.com" target="_blank">Hello World!</a>')
buttons: ['Cancel', 'Open Modal', 'Delete']
});
Then the sanitizer method would need to check to see if the content it is receiving is of type IonicSafeCode and allow it to pass through.
(I’m open to other class names. IonicSafeCode was the first one that came to mind)
Additional Context
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
this.domSanitizer.bypassSecurityTrustHtmlis something that is Angular-specific and will not work with other frameworks. There is likely some research to be done into howIonicSafeCodewill interact with Angular’s own sanitizer.Regarding the icons in
header, this discussion is best suited for a separate issue.There is already a issue open for HTML content with toasts: https://github.com/ionic-team/ionic/issues/18204
Thanks for the issue! This issue is being locked to prevent comments that are not relevant to the original issue. If this is still an issue with the latest version of Ionic, please create a new issue and ensure the template is fully filled out.