| Mar | APR | May |
| 16 | ||
| 2021 | 2022 | 2023 |
COLLECTED BY
Collection: Save Page Now Outlinks
GuideComponentsCLINativeIonic v6.0.0 Upgrade Guide
v6
●v6
●v5
●v4
●v3
Community
●Community Hub
●Forum
●Meetups
●Blog
●Twitter
Support
●Help Center
●Customer Support
●Enterprise Advisory
English
●English
●日本語
●Translate
🌜
🌞
●Getting Started
●Overview
●Upgrading to Ionic 6
●Environment Setup
●CLI Installation
●Packages & CDN
●Ionic VS Code Extension
●Next Steps
●Developing
●Starting
●Previewing
●Scaffolding
●Developing for iOS
●Developing for Android
●Development Tips
●Hardware Back Button
●Keyboard
●Layout
●Structure
●Responsive Grid
●Global Stylesheets
●CSS Utilities
●Theming
●Basics
●Platform Styles
●CSS Variables
●CSS Shadow Parts
●Colors
●Themes
●Dark Mode
●Advanced
●Color Generator
●Angular
●Overview
●Build Your First App
●Lifecycle
●Navigation/Routing
●Virtual Scroll
●Slides
●Config
●Platform
●Testing
●Storage
●Performance
●Progressive Web Apps
●React
●Overview
●Quickstart
●Build Your First App
●Lifecycle
●Navigation/Routing
●Virtual Scroll
●Slides
●Config
●Platform
●Progressive Web Apps
●Overlays
●Storage
●Testing
●Performance
●Vue
●Overview
●Quickstart
●Build Your First App
●Lifecycle
●Navigation/Routing
●Virtual Scroll
●Slides
●Utility Functions
●Config
●Platform
●Progressive Web Apps
●Storage
●Testing
●Troubleshooting
●Performance
●Utilities
●Animations
●Gestures
●Deployment
●iOS App Store
●Android Play Store
●Progressive Web App (PWA)
●Electron Desktop App
●Techniques
●Security
●Troubleshooting
●Debugging
●Build Errors
●Runtime Issues
●Native Errors
●CORS Errors
●Core Concepts
●Fundamentals
●Cross Platform
●Web View
●What are PWAs?
●Contributing
●How to Contribute
●Code of Conduct
●Reference
●Glossary
●Versioning
●Release Notes
●GitHub Changelog
●Support Policy
●Browser Support
●Migration
GuideComponentsCLINativeIonic v6.0.0 Upgrade Guide
v6
●v6
●v5
●v4
●v3
Community
●Community Hub
●Forum
●Meetups
●Blog
●Twitter
Support
●Help Center
●Customer Support
●Enterprise Advisory
English
●English
●日本語
●Translate
🌜
🌞
ion-alert developers can allow for custom or user-provided content. This content can be plain text or HTML and should be considered untrusted. As with any untrusted input, it is important to sanitize it before doing anything else with it. In particular, using things like innerHTML without sanitization provides an attack vector for bad actors to input malicious content and potentially launch a Cross Site Scripting attack (XSS).
Ionic comes built in with basic sanitization methods for the components it provides, but for user-created components it is up to the developer to make sure all data is sanitized. Different frameworks have different solutions for sanitizing user input, so developers should familiarize themselves with what their specific framework offers.
For developers who are not using a framework, or for developers whose framework does not provide the sanitization methods they need, we recommend using sanitize-html. This package provides a simple HTML sanitizer that allows the developer to specify the exact tags and attributes that they want to allow in their application.
DomSanitizer class. This helps prevent XSS issues by ensuring that values are safe to be used in the DOM. By default, Angular will mark any values it deems unsafe. For example, the following link would be marked as unsafe by Angular because it would attempt to execute some JavaScript.
public myUrl: string = 'javascript:alert("oh no!")';
...
<a[href]="myUrl">Click Me!</a>
name is converted to a string before being rendered:
const name = values.name;
const element = <h1>Hello, {name}!</h1>;
href attribute of an anchor element. The following is unsafe and can potentially allow an XSS attack to occur:
const userInput = 'javascript:alert("Oh no!")';
const element = <a href={userInput}>Click Me!</a>;
v-html, see the Vue Syntax Guide.
ion-toast, they will need to eject from the sanitizer that is built into Ionic Framework. Developers can either disable the sanitizer across their entire app or bypass it on a case-by-case basis.
sanitizerEnabled that is set to true by default. Set this value to false to globally disable Ionic Framework's built in sanitizer. Please note that this does not disable any sanitizing functionality provided by other frameworks such as Angular.
IonicSafeString class that allows developers to do just that.
import { IonicSafeString, ToastController } from '@ionic/angular';
...
constructor(private toastController: ToastController) {}
async presentToast() {
const toast = await this.toastController.create({
message: new IonicSafeString('<ion-button>Hello!</ion-button>'),
duration: 2000
});
toast.present();
}
import { IonicSafeString } from '@ionic/core';
...
const async presentToast = () => {
const toast = document.createElement('ion-toast');
toast.message = new IonicSafeString('<ion-button>Hello!</ion-button>');
toast.duration = 2000;
document.body.appendChild(toast);
return toast.present();
}
import React, { useState } from 'react';
import { Animation, IonButton, IonContent, IonicSafeString, IonToast } from '@ionic/react';
export const ToastExample: React.FC = () => {
const [showToast, setShowToast] = useState(false);
return (
<IonContent>
<IonButton onClick={() => setShowToast(true)} expand="block">Show Toast</IonButton>
<IonToast
isOpen={showToast}
onDidDismiss={() => setShowToast(false)}
message={new IonicSafeString('<ion-button>Hello!</ion-button>')}
duration={2000}
/>
</IonContent>
)
};