fix(platform-server): don't reflect innerHTML property to attibute (#24213)

Fixes #19278.

innerHTML is conservatively marked as an attribute for security purpose so that it's sanitized when set. However this same mapping is used by the server renderer to decide whether the `innerHTML` property needs to be reflected to the `innerhtml` attribute. The fix is to just skip the property to attribute reflection for `innerHTML`.

PR Close #24213

packages/platform-server/src/server_renderer.ts

@@ -154,9 +154,11 @@ class DefaultServerRenderer2 implements Renderer2 {
     checkNoSyntheticProp(name, 'property');
     getDOM().setProperty(el, name, value);
     // Mirror property values for known HTML element properties in the attributes.
+    // Skip `innerhtml` which is conservatively marked as an attribute for security
+    // purposes but is not actually an attribute.
     const tagName = (el.tagName as string).toLowerCase();
     if (value != null && (typeof value === 'number' || typeof value == 'string') &&
-        this.schema.hasElement(tagName, EMPTY_ARRAY) &&
+        name.toLowerCase() !== 'innerhtml' && this.schema.hasElement(tagName, EMPTY_ARRAY) &&
         this.schema.hasProperty(tagName, name, EMPTY_ARRAY) &&
         this._isSafeToReflectProperty(tagName, name)) {
       this.setAttribute(el, name, value.toString());

packages/platform-server/test/integration_spec.ts

@@ -587,7 +587,7 @@ class EscapedTransferStoreModule {
            renderModule(HTMLTypesModule, {document: doc}).then(output => {
              expect(output).toBe(
                  '<html><head></head><body><app ng-version="0.0.0-PLACEHOLDER">' +
-                 '<div innerhtml="<b>foo</b> bar"><b>foo</b> bar</div></app></body></html>');
+                 '<div><b>foo</b> bar</div></app></body></html>');
              called = true;
            });
          }));