You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is not clear from the documentation that HTML will be passed to the template (yes, I realize innerHTML should be a large hint, but I saw it missed). Can the example in the README be updated to note that user-generated text needs to be escaped?
The text was updated successfully, but these errors were encountered:
HTML Injection is possible if users of this library make [data] use user-supplied text
Expected result
A developer using this library is likely to assume that a name like "<i>italic</i>" would appear exactly as is.
Actual result
Today, a name like "<i>italic</i>" will be rendered as HTML.
Steps to reproduce
Add a name with HTML in the data.
https://stackblitz.com/edit/angular-ng-autocomplete-with-images-yowqbm?file=src%2Fapp%2Fapp.component.ts
Context
It is not clear from the documentation that HTML will be passed to the template (yes, I realize innerHTML should be a large hint, but I saw it missed). Can the example in the README be updated to note that user-generated text needs to be escaped?
The text was updated successfully, but these errors were encountered: