fix(platform-server): don't reflect innerHTML property to attibute (#24213)

Fixes #19278. innerHTML is conservatively marked as an attribute for security purpose so that it's sanitized when set. However this same mapping is used by the server renderer to decide whether the `innerHTML` property needs to be reflected to the `innerhtml` attribute. The fix is to just skip the property to attribute reflection for `innerHTML`. PR Close #24213
2018-05-30 21:34:09 -07:00
parent ec57133b61
commit 6a663a4073
2 changed files with 4 additions and 2 deletions
--- a/packages/platform-server/src/server_renderer.ts
+++ b/packages/platform-server/src/server_renderer.ts
@ -154,9 +154,11 @@ class DefaultServerRenderer2 implements Renderer2 {
    checkNoSyntheticProp(name, 'property');
    getDOM().setProperty(el, name, value);
    // Mirror property values for known HTML element properties in the attributes.
+    // Skip `innerhtml` which is conservatively marked as an attribute for security
+    // purposes but is not actually an attribute.
    const tagName = (el.tagName as string).toLowerCase();
    if (value != null && (typeof value === 'number' || typeof value == 'string') &&
-        this.schema.hasElement(tagName, EMPTY_ARRAY) &&
+        name.toLowerCase() !== 'innerhtml' && this.schema.hasElement(tagName, EMPTY_ARRAY) &&
        this.schema.hasProperty(tagName, name, EMPTY_ARRAY) &&
        this._isSafeToReflectProperty(tagName, name)) {
      this.setAttribute(el, name, value.toString());