The only way I’m aware of that Ionic apps will attempt to display user-generated HTML is if you bind innerHTML. So if you’re doing that, don’t do that. If this HTML is being submitted to an external website, then I would consider it the responsibility of the backend. It doesn’t make any sense to me to create an honor system for front-ends to protect a vulnerable backend, because blackhats don’t obey honor systems.
Thank for explaining, I did the workaround , I replace if user type some special characters like #, @, %, ^ , {, } , !, ; , <, > in message text so I replace this with white space so basically this will disable scripting and display as simple string. because my team leader said we need to use innerHTML for breakline message .