Hello all, I develop a demo app where user can create a post by providing following inputs(ion-input type=“text”).
While testing some user will type some HTML scripting and the result you can see on attached image.
So my question is how can we prevent this type of inputs in ionic ?
The only way I’m aware of that Ionic apps will attempt to display user-generated HTML is if you bind innerHTML. So if you’re doing that, don’t do that. If this HTML is being submitted to an external website, then I would consider it the responsibility of the backend. It doesn’t make any sense to me to create an honor system for front-ends to protect a vulnerable backend, because blackhats don’t obey honor systems.
Thank for explaining, I did the workaround , I replace if user type some special characters like #, @, %, ^ , {, } , !, ; , <, > in message text so I replace this with white space so basically this will disable scripting and display as simple string. because my team leader said we need to use innerHTML for breakline message
.
I don’t agree with that, if I understand correctly. The CSS white-space property exists, and does not require innerHTML to use.
