I guess maybe we can use the ng-bind-html directive to fix this.

What do you think? Any other elegant solutions? @amitosh @a2batic

@thelittlewonder , Its Angular 5, ng-bind-html does not exist here. The equivalent is binding the property to innerHtml.

Transcluding remote (and possibly untrusted) HTML into an app is a very bad idea. We can argue fedora mags are trusted, but if, for some reason, they get compromised, the malware can also inject code directly into the Fedora App. Being a Cordova app, implications of a XSS-style attack is very severe. We must always attempt to generate the HTML in the client itself.

I'm not a WordPress guy, so my understanding of their API is limited. Fedora mags appears to return HTML in JSON.

We need to find a different alternative.

Angular has a DomSanitizer module that works reasonably well, you can play with it and try fixing this.

@thelittlewonder @amitosh, I think its fine to use innerHTML as angular takes care of XSS attacks as per the documentation [1].

But we can use DomSanitizer as well, if it is not tedious to add.

[1] https://angular.io/guide/security#sanitization-example

@a2batic Missed it in the docs.

innerHTML will just be fine.

@a2batic I'm interested to take this up, in case this is not assigned to anyone

@manaswinidas Sorry, I'm working on this.

@thelittlewonder Sorry I hadn't seen your message.

Closing wrt PR#14