From 85b910131625343bc1376eea50c6db3610f784c0 Mon Sep 17 00:00:00 2001 From: Liam DeBeasi Date: Mon, 27 Mar 2023 13:42:21 -0400 Subject: [PATCH 1/3] Update config.md --- docs/developing/config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/developing/config.md b/docs/developing/config.md index c9796a19bee..10ad73cec8d 100644 --- a/docs/developing/config.md +++ b/docs/developing/config.md @@ -117,7 +117,7 @@ Below are the config options that Ionic uses. | `backButtonDefaultHref` | `string` | Overrides the default value for the `defaultHref` property in all `` components. | | `backButtonIcon` | `string` | Overrides the default icon in all `` components. | | `backButtonText` | `string` | Overrides the default text in all `` components. | -| `innerHTMLTemplatesEnabled` | `boolean` | Relevant Components: `ion-alert`, `ion-infinite-scroll-content`, `ion-loading`, `ion-refresher-content`, `ion-toast`. If `false`, custom HTML passed to the relevant components will be parsed as a string instead of HTML. Defaults to `true`. | +| `innerHTMLTemplatesEnabled` | `boolean` | Relevant Components: `ion-alert`, `ion-infinite-scroll-content`, `ion-loading`, `ion-refresher-content`, `ion-toast`. If `true`, content passed to the relevant components will be parsed as HTML instead of plaintext. Defaults to `false`. | | `hardwareBackButton` | `boolean` | If `true`, Ionic will respond to the hardware back button in an Android device. | | `infiniteLoadingSpinner` | `SpinnerTypes` | Overrides the default spinner type in all `` components. | | `loadingEnter` | `AnimationBuilder` | Provides a custom enter animation for all `ion-loading`, overriding the default "animation". | From 998f1de3afa065aff8739b4661982edfd09d4daf Mon Sep 17 00:00:00 2001 From: Liam DeBeasi Date: Mon, 27 Mar 2023 13:45:38 -0400 Subject: [PATCH 2/3] Update security.md --- docs/techniques/security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/techniques/security.md b/docs/techniques/security.md index e500e83939f..29e429830ea 100644 --- a/docs/techniques/security.md +++ b/docs/techniques/security.md @@ -62,9 +62,9 @@ Vue does not provide any type of sanitizing methods built in. It is recommended To learn more about the security recommendations for binding to directives such as `v-html`, see the [Vue Syntax Guide](https://vuejs.org/v2/guide/syntax.html#Raw-HTML). -## Disabling Custom HTML Parsing via `innerHTML` +## Enabling Custom HTML Parsing via `innerHTML` -`ion-alert`, `ion-infinite-scroll-content`, `ion-loading`, `ion-refresher-content`, and `ion-toast` accept custom HTML as strings for certain properties. These strings are added to the DOM using `innerHTML` and must be properly sanitized by the developer. Developers can disable this functionality by setting `innerHTMLTemplatesEnabled: false` in the [IonicConfig](../developing/config#ionicconfig). When `innerHTMLTemplatesEnabled` is `false`, the values passed to the affected components will always be interpreted as strings. +`ion-alert`, `ion-infinite-scroll-content`, `ion-loading`, `ion-refresher-content`, and `ion-toast` can accept custom HTML as strings for certain properties. These strings are added to the DOM using `innerHTML` and must be properly sanitized by the developer. This behavior is disabled by default which means values passed to the affected components will always be interpreted as strings. Developers can enable this custom HTML behavior by setting `innerHTMLTemplatesEnabled: true` in the [IonicConfig](../developing/config#ionicconfig). ## Ejecting from the built-in sanitizer From 54d155c162a0ee3f7628256392d71b78859a3ebc Mon Sep 17 00:00:00 2001 From: Liam DeBeasi Date: Mon, 27 Mar 2023 13:46:45 -0400 Subject: [PATCH 3/3] Update security.md --- docs/techniques/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/techniques/security.md b/docs/techniques/security.md index 29e429830ea..4528b69ec18 100644 --- a/docs/techniques/security.md +++ b/docs/techniques/security.md @@ -64,7 +64,7 @@ To learn more about the security recommendations for binding to directives such ## Enabling Custom HTML Parsing via `innerHTML` -`ion-alert`, `ion-infinite-scroll-content`, `ion-loading`, `ion-refresher-content`, and `ion-toast` can accept custom HTML as strings for certain properties. These strings are added to the DOM using `innerHTML` and must be properly sanitized by the developer. This behavior is disabled by default which means values passed to the affected components will always be interpreted as strings. Developers can enable this custom HTML behavior by setting `innerHTMLTemplatesEnabled: true` in the [IonicConfig](../developing/config#ionicconfig). +`ion-alert`, `ion-infinite-scroll-content`, `ion-loading`, `ion-refresher-content`, and `ion-toast` can accept custom HTML as strings for certain properties. These strings are added to the DOM using `innerHTML` and must be properly sanitized by the developer. This behavior is disabled by default which means values passed to the affected components will always be interpreted as plaintext. Developers can enable this custom HTML behavior by setting `innerHTMLTemplatesEnabled: true` in the [IonicConfig](../developing/config#ionicconfig). ## Ejecting from the built-in sanitizer