From 6a663a407379edd61fe3ed362d5f4f8a32d7c04e Mon Sep 17 00:00:00 2001 From: Vikram Subramanian Date: Wed, 30 May 2018 21:34:09 -0700 Subject: [PATCH] fix(platform-server): don't reflect innerHTML property to attibute (#24213) Fixes #19278. innerHTML is conservatively marked as an attribute for security purpose so that it's sanitized when set. However this same mapping is used by the server renderer to decide whether the `innerHTML` property needs to be reflected to the `innerhtml` attribute. The fix is to just skip the property to attribute reflection for `innerHTML`. PR Close #24213 --- packages/platform-server/src/server_renderer.ts | 4 +++- packages/platform-server/test/integration_spec.ts | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/platform-server/src/server_renderer.ts b/packages/platform-server/src/server_renderer.ts index 6b8d1dfc34..9cd29cfa6a 100644 --- a/packages/platform-server/src/server_renderer.ts +++ b/packages/platform-server/src/server_renderer.ts @@ -154,9 +154,11 @@ class DefaultServerRenderer2 implements Renderer2 { checkNoSyntheticProp(name, 'property'); getDOM().setProperty(el, name, value); // Mirror property values for known HTML element properties in the attributes. + // Skip `innerhtml` which is conservatively marked as an attribute for security + // purposes but is not actually an attribute. const tagName = (el.tagName as string).toLowerCase(); if (value != null && (typeof value === 'number' || typeof value == 'string') && - this.schema.hasElement(tagName, EMPTY_ARRAY) && + name.toLowerCase() !== 'innerhtml' && this.schema.hasElement(tagName, EMPTY_ARRAY) && this.schema.hasProperty(tagName, name, EMPTY_ARRAY) && this._isSafeToReflectProperty(tagName, name)) { this.setAttribute(el, name, value.toString()); diff --git a/packages/platform-server/test/integration_spec.ts b/packages/platform-server/test/integration_spec.ts index 435f2a5765..11c836bfe3 100644 --- a/packages/platform-server/test/integration_spec.ts +++ b/packages/platform-server/test/integration_spec.ts @@ -587,7 +587,7 @@ class EscapedTransferStoreModule { renderModule(HTMLTypesModule, {document: doc}).then(output => { expect(output).toBe( '' + - '
foo bar
'); + '
foo bar
'); called = true; }); }));