search

lentschi / ngx-ellipsis

Multiline text with ellipsis for angular 9+
MIT License
96 stars 22 forks source link

Html elements are not escaped/sanitized #10

Closed joaoportela closed 6 years ago

joaoportela commented 6 years ago

Your documentation says that only text is supported, no html elements. But if the text that I'm setting has html elements they're parsed as html instead of being escaped.

If happens by doing both <span ellipsis>{{project.title}}</span> and <span ellipsis [ellipsis-content]="project.title"></span>

Was this intentional?

If you're willing to hint at what could be wrong, I could do a pull request.

joaoportela commented 6 years ago

For whoever may be looking for a workaround. I'm manually escaping the html by using this function:

escapeHtml(unsafe: string): string {
  // if `unsafe` is null or undefined, do nothing.
  return unsafe == null
        ? unsafe
        : unsafe.replace(/&/g, '&amp;')
               .replace(/</g, '&lt;')
               .replace(/>/g, '&gt;')
               .replace(/"/g, '&quot;')
               .replace(/'/g, '&#039;');
}

Like this:

<span ellipsis [ellipsis-content]="escapeHtml(project.title)"></span>
lentschi commented 6 years ago

@joaoportela You're right! I fixed it in 2.0.0. Note however, that <span ellipsis>{{project.title}}</span> still isn't supported (Altering project.title will not have the intended effect).