WP-JSON APIs return document which is already html-encoded. Angular auto-escapes all rendered content, so anything that we are rendering is again html-encoded.
This &racuo; that becomes This &racuo; that
This &racuo; that
This &racuo; that
Attached screenshot: <img alt="Screenshot_2018-03-05-18-33-00-472_com.fedoraqa.fedora.png" src="/Fedora-app/issue/raw/8fa1cb1406ee9d640ad7a8013be18f4c8942f356cf62dd5a2a0612dfdc6a4a4c-Screenshot_2018-03-05-18-33-00-472_com.fedoraqa.fedora.png" />
I guess maybe we can use the ng-bind-html directive to fix this.
What do you think? Any other elegant solutions? @amitosh @a2batic
@thelittlewonder , Its Angular 5, ng-bind-html does not exist here. The equivalent is binding the property to innerHtml.
ng-bind-html
innerHtml
Transcluding remote (and possibly untrusted) HTML into an app is a very bad idea. We can argue fedora mags are trusted, but if, for some reason, they get compromised, the malware can also inject code directly into the Fedora App. Being a Cordova app, implications of a XSS-style attack is very severe. We must always attempt to generate the HTML in the client itself.
I'm not a WordPress guy, so my understanding of their API is limited. Fedora mags appears to return HTML in JSON.
We need to find a different alternative.
Angular has a DomSanitizer module that works reasonably well, you can play with it and try fixing this.
DomSanitizer
@thelittlewonder @amitosh, I think its fine to use innerHTML as angular takes care of XSS attacks as per the documentation [1].
innerHTML
But we can use DomSanitizer as well, if it is not tedious to add.
[1] https://angular.io/guide/security#sanitization-example
@a2batic Missed it in the docs.
innerHTML will just be fine.
Metadata Update from @a2batic: - Issue tagged with: UI, easy-fix
@a2batic I'm interested to take this up, in case this is not assigned to anyone
@manaswinidas Sorry, I'm working on this.
@thelittlewonder Sorry I hadn't seen your message.
Metadata Update from @a2batic: - Issue assigned to manaswinidas
Closing wrt PR#14
Metadata Update from @a2batic: - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.