ix-pill should not render HTML content #2203
Description
Prerequisites
- I have read the Contributing Guidelines.
- I have not leaked any internal/restricted information like screenshots, videos, code snippets, links etc.
What happened?
It is currently possible to insert HTML into an ix-pill, for example:
<ix-pill><h1>Header</h1></ix-pill>
During a security assessment, it was found that the ix-pill component renders data without proper sanitization or escaping. This allows HTML content to be injected and rendered directly in the DOM, which may pose a security risk if malicious content is introduced.
Expectation:
The ix-pill component is expected to accept and render plain strings only. It should not process or render any HTML content, as this can lead to unintended visual effects and potential security issues. For instance, rendering a <h1> tag disrupts the layout, and an <img> tag is not properly visualized. All input should be treated as text and properly escaped to prevent HTML interpretation.
What type of frontend framework are you seeing the problem on?
Angular (Standalone)
On which version of the frontend framework are you experiencing the issue?
19.2.15
Which version of iX do you use?
3.2.0
Code to produce this issue.
https://stackblitz.com/edit/13f3aupa?file=src%2Fpill.ts