feat(config): add option to disable custom html functionality

[liamdebeasi]

Docs PR: ionic-team/ionic-docs#2826

Pull request checklist

Please check if your PR fulfills the following requirements:

• Tests for the changes have been added (for bug fixes / features)
• Docs have been reviewed and added / updated if needed (for bug fixes / features)
  • Some docs updates need to be made in the ionic-docs repo, in a separate PR. See the contributing guide for details.
• Build (npm run build) was run locally and any changes were pushed
• Lint (npm run lint) has passed locally and any fixes were made for failures

Pull request type

Please check the type of change your PR introduces:

• Bugfix
• Feature
• Code style update (formatting, renaming)
• Refactoring (no functional changes, no api changes)
• Build related changes
• Documentation content changes
• Other (please describe):

What is the current behavior?

Issue URL: Internal ticket

Developers have requested a way to disable the innerHTML functionality in Ionic for use cases where they are only passing plain text. Accepting user content and passing to innerHTML without properly sanitizing their content poses a security risk. Ionic has a built-in sanitizer for this, but it is not designed to be comprehensive.

What is the new behavior?

• Added a global innerHTMLTemplatesEnabled config. When false, this will disable any innerHTML functionality inside of Ionic. This avoids the need to user a sanitizer because user-generated content will be interpreted as text instead of custom HTML.

Does this introduce a breaking change?

• Yes
• No

Other information

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[amandaejohnston]

Don't forget to add this to the interface docs: https://ionicframework.com/docs/angular/config#ionicconfig (also for React and Vue)

[amandaejohnston]

Oh wait, that would be in the docs PR, wouldn't it 😆 Nvm, this one looks good.