Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug: Security risks associated with using innerHTML #18065

Closed
cjorasch opened this issue Apr 17, 2019 · 11 comments
Closed

bug: Security risks associated with using innerHTML #18065

cjorasch opened this issue Apr 17, 2019 · 11 comments
Labels
package: core @ionic/core package type: bug a confirmed bug report

Comments

@cjorasch
Copy link

Bug Report

Ionic version:
[x] 4.2.0

Current behavior:
Ionic core uses innerHTML in a number of places that result in security risks when used in conjunction with user entered content.

From: https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML

Warning: If your project is one that will undergo any form of security review, using innerHTML most likely will result in your code being rejected. For example, if you use innerHTML in a browser extension and submit the extension to addons.mozilla.org, it will not pass the automated review process.

This was originally submitted as issue #14586 but that issue was closed.

Several Ionic components have properties that are string values but are handled as HTML content when rendering the component.

An example usage where there is a security risk is:

    const alert = await this.alertController.create({
      message: 'Hello ' + this.name,
    });

If the user is able to enter the value for name then they are able to insert raw HTML into the dom.

Specific components where this issue exists include:

  • <ion-alert>.message
  • <ion-searchbar>.placeholder
  • <ion-infinite-scroll-content>.loadingText
  • <ion-refresher-content>.pullingText
  • <ion-refresher-content>.refershingText

Other issues:

In addition to security risks, it is also difficult for the developer to know that the property is handled as raw html. For example, the ion-alert message property is defined as The main message to be displayed in the alert in the documentation. If you do read through the source code you will likely not know if is raw html.

This makes it less likely the developer will know to escape any user entered values which makes it likely that there will be security holes.

It also can cause display issues when used with user entered data. For example:

    const alert = await this.alertController.create({
      message: 'Hello ' + this.name,
    });

If name includes < or other html characters then the message will not render correctly.

Proposed solution:

The ability to render content beyond a simple string is very valuable so there should be an ability to specify formatted content.

A potential solution is to use properties that can contain JSX values. For example:

@Prop() message: JSX.Element;

This allows the value to be a simple string value to avoid complicating the interface. It also allows the value to be more complex content when appropriate. For example:

<my-component message={<span>Hello <b>user</b></span>} />

This technique could also be used for other properties that could benefit from increased formatting flexibility. For example: alert.header, toast.message, etc.

@ionitron-bot ionitron-bot bot added the triage label Apr 17, 2019
@liamdebeasi
Copy link
Contributor

Hi there,

Thanks for the issue. I am able to reproduce using the following:

const alert = await this.alertCtrl.create({
  message: 'Hello <img src="x" onerror="alert(1)">'
});
    
await alert.present();

(Source: https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML#Security_considerations)

I am going to discuss with the team the best way to address this issue.

Thanks!

@liamdebeasi liamdebeasi added package: core @ionic/core package type: bug a confirmed bug report labels Apr 18, 2019
@cjorasch
Copy link
Author

I noticed this is being worked on and glad to see that the security risk will be closed.

I am curious, however, why a sanitization approach is being used rather than simply leveraging JSX.

In particular, there are a few downsides with the sanitization approach:

  • The whitelist of elements and attributes will be one more thing to learn and lead to ongoing developer requests to extend the whitelist.
  • Special string properties that can contain some html are not obvious from the component interface where the property appears to be a normal string.
  • The developer still needs to escape user content to handle reserved characters (<, &, etc.) for it to display correctly.
  • Putting content in a <slot> vs. specifying as a property uses a different technique.

If the property is declared as @Prop() message: JSX.Element;

  • Leverages existing developer experience with JSX.
  • Any html content can be represented
  • Security is maintained
  • User content is escaped
  • the component interface clearly defines what is valid
  • Simple string values can be used as is
  • No extra code required

Is there some downside to the JSX approach?

@liamdebeasi
Copy link
Contributor

Hi there,

Thanks for the follow up. The main issue with the JSX approach is it does not stop bad actors from executing arbitrary JavaScript (the main thing we want to avoid), while still allowing safe HTML to be included.

The following would still be allowed:

<a href="javascript:alert('JavaScript Executed!')">A Harmless Link</a>

I agree that the HTML/string usage could be much clearer in our documentation, but ultimately we do want to allow users to include small bits of HTML in some of these props (i.e. showing an image in an ion-alert).

Sanitize JSX.Element via innerHTML JSX.Element via rendering inside of a div
image image image

I am using the following as input for the examples above:

<a href="javascript:alert(`oh no!`);">click me!</a> <img src="http://lorempixel.com/400/200/cats/"> 123 < 150 1 & 2 & 3 Lorem ipsum dolor sit amet

Notice in the JSX.Element via innerHTML image, the link is still clickable. Clicking the link would cause JavaScript to execute. Additionally, rendering the message via <div>{this.message</div> will cause all HTML to be forced to string which is not something we want either. In the Sanitize image, the JavaScript is removed from the link, and the rest of the valid HTML is still rendered.

In general, we provide sanitization methods for our components that use innerHTML, but it is ultimately up to the user to ensure that they do not introduce new XSS vulnerabilities when they build with Ionic.

We will also be creating a security guide in our docs that explains these changes for other developers.

Please let me know if you have any questions.
Thanks!

@cjorasch
Copy link
Author

When supporting JSX you would not use innerHTML because, as you mentioned, that would still have a security risk. But there is no need to use innerHTML at all.

@Prop() message: JSX.Element;

render() {
  return <span>Hello {this.message}!</span>;
}

This is what happens everywhere else you are rendering user content. This approach allows the developer to apply markup where appropriate without needing to escape user content.

I think the primary time that the sanitization approach is useful is when you want the end user to be able to enter limited html content (similar to markdown) but this seems like a less likely use case. If for some reason it is desired it could be handled with a component that wraps partial html and then used anywhere that JSX is supported. If I enter a value into a <input> or load a value from a database generally the desire is to render it the way it was entered rather than to assume it is html.

If I enter John Smith <[email protected]> into a text field I generally expect it to be rendered the same way in both displayed content and alerts.

@liamdebeasi
Copy link
Contributor

Hi there,

With components like ion-alert we want the user to be able to enter limited HTML content, so JSX.Element is not particularly useful in this case as this.message would be converted to a string before being rendered.

@cjorasch
Copy link
Author

When would the user enter limited HTML content and how would that relate to displaying an alert vs. any other rendering?

For example, in an app like the ionic conference application. If users build the schedule of events then each event has a title. The title is displayed in lots of other components so any html characters will be displayed as is. If the title is This -> that then it will appear that way on the pages. If the user is able to delete an event the app might display a message "Are you sure you want to delete This -> that?". If the alert assumes html then it gets rendered differently. If you think the value should be able to contain html then it would need to be rendered differently everywhere else.

It seems like the more likely use case is:

message: <span>Are you sure you want to delete <b>{event.title}</b>?</span>

In this case the alert can display formatted content correctly but still apply the same formatting to use content that is used everywhere else.

@liamdebeasi
Copy link
Contributor

With the sanitize approach, your content is still rendered the same. All we do differently is we strip out things like javascript: or onclick handlers. Supplying characters such as < or & still render properly, so providing This -> that to the message prop would still work correctly.

Additionally, we can’t export as JSX.Element because we don’t require JSX to use Ionic core. Ionic core can be used inside of an Angular application and needs to be able to be passed in as such.

After discussing with the team, we are going to move forward with this sanitize approach.

Thanks for bringing this issue to our attention! I will post here when the updates have been merged in.

@simonhaenisch
Copy link
Contributor

Not really security related, but I agree that having the possibility of passing in JSX would be very useful here... in fact that is something I already tried, in the same way that @cjorasch explained above in #18065 (comment), i. e., the user entering the HTML/JSX would be the developer working with Ionic (where having JSX available is not unlikely), not the end user of the app.

Would it be possible to type the prop as e. g.

@Prop() message: string | JSX.Element;

or does that also make it not work in a non-jsx setup? Passing HTML as a string when working with JSX feels so wrong 🤓 Maybe it's possible to conditionally avoid using innerHTML if JSX is passed in? But not sure how it would be possible to distinguish between string and jsx type in the renderer at runtime.

@liamdebeasi
Copy link
Contributor

liamdebeasi commented Apr 23, 2019

Hi everyone,

I think my previous comment was a little bit vague, so let me attempt to clarify 🙂

We aren't able to implement the JSX approach for two reasons:

  1. Switching from an only string input to an only JSX.Element input would be considered a breaking change, and we only do those for major releases (4.0, 5.0, 6.0, etc)
  2. Switching from an only string input to an only JSX.Element input would prevent users who do not use JSX from using certain Ionic components (For example, a person using Ionic components in a vanilla JS application).

We definitely understand and appreciate the desire for JSX.Element support, but our focus is currently on getting the current implementation fixed up. That being said, supporting both string and JSX.Element is something worth discussing with the team (in terms of feasibility and technical limitations), so I will certainly do that. However, adding JSX.Element would be considered a feature and is out of scope for this security fix.

For anyone who would like to see JSX.Element supported in components like ion-alert, I recommend creating a Feature Request as this issue will likely be closed once the security fix is in place.

Thanks!

@liamdebeasi
Copy link
Contributor

Hi there,

This has been fixed via #18083. We will be providing patch releases for all minor versions of Ionic 4 later today (4.0.x, 4.1.x, etc).

Thanks for bringing this to our attention, and thanks for using Ionic!

liamdebeasi added a commit that referenced this issue May 8, 2019
* docs(process): update release process

* docs(fab-list): update the activated description (#18026)

* docs(breaking): add ionDrag event arguments change (#17989)

* docs(slides): add swiper prefix in animation usage (#18073)

* feat(searchbar): add disabled property (#17935)

closes #17921

* fix(reorder-group): remove required parameter for the complete method (#18084)

also updates documentation surrounding the reorder & infinite scroll

fixes #16302

* docs(components): update method and parameter descriptions (#18075)

* fix(datetime): default to current date when value is null (#18105)

fixes #18099

* docs(toolbar): fix end slot documentation (#18092)

* fix(item): use the global activated background for md ripple color (#16752)

fixes #16585

* fix(textarea): reposition textarea when keybard appears (#18098)

fixes #17847

* fix(button): apply round property to button sizes in iOS (#18125)

fixes #18108

* fix(): add prefixed transform for older versions of chrome (#18128)

fixes #17729

* fix(segment): decrease icon size on ios and stretch segment buttons to fill height (#17751)

fixes #17069

* fix(): sanitize components using innerHTML (#18083)

fixes #18065

* Release 4.3.1 (#18152) (#18154)

* fix(angular): support replaceUrl with angular <7.2 (#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (#18146)

* 4.3.1 (#18150)

* doc(loading): remove mention of undefined "content" property (#18126)

* feat(img): add ionImgWillLoad event and emit ionImgDidLoad when image is loaded (#18159)

- Adds `ionImgWillLoad` event that emits when the img src is set
- Moves the `ionImgDidLoad` event emit so that it happens when the image actually finishes loading

fixes #17652 closes #18161

* fix(toast): allow button-color CSS variable to be overridden (#18133)

fixes #18127

* fix(label): use primary color on focus for md input labels (#18183)

fixes #15602

* feat(item-sliding): add open method (#17964)

resolves #17899

* feat(menu-button): add css variables for padding (#18188)

fixes #18187

* feat(card): add button functionality (#17997)

closes #17773

* feat(textarea): add option to expand textarea as value changes (#16916)

* feat(textarea): add autoGrow - set height to scrollHeight

* change 1px to inherit, remove additional 4px

* feat(refresher): add pullFactor property to control speed (#16697)

closes #15425

* fix(input): clear on edit from inside native input (#17115)

fixes #17055

* test(angular): increase timeout for tab switch (#18221)

* 4.4.0
liamdebeasi added a commit that referenced this issue May 8, 2019
* docs(process): update release process

* docs(fab-list): update the activated description (#18026)

* docs(breaking): add ionDrag event arguments change (#17989)

* docs(slides): add swiper prefix in animation usage (#18073)

* feat(searchbar): add disabled property (#17935)

closes #17921

* fix(reorder-group): remove required parameter for the complete method (#18084)

also updates documentation surrounding the reorder & infinite scroll

fixes #16302

* docs(components): update method and parameter descriptions (#18075)

* fix(datetime): default to current date when value is null (#18105)

fixes #18099

* docs(toolbar): fix end slot documentation (#18092)

* fix(item): use the global activated background for md ripple color (#16752)

fixes #16585

* fix(textarea): reposition textarea when keybard appears (#18098)

fixes #17847

* fix(button): apply round property to button sizes in iOS (#18125)

fixes #18108

* fix(): add prefixed transform for older versions of chrome (#18128)

fixes #17729

* fix(segment): decrease icon size on ios and stretch segment buttons to fill height (#17751)

fixes #17069

* fix(): sanitize components using innerHTML (#18083)

fixes #18065

* Release 4.3.1 (#18152) (#18154)

* fix(angular): support replaceUrl with angular <7.2 (#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (#18146)

* 4.3.1 (#18150)

* doc(loading): remove mention of undefined "content" property (#18126)

* feat(img): add ionImgWillLoad event and emit ionImgDidLoad when image is loaded (#18159)

- Adds `ionImgWillLoad` event that emits when the img src is set
- Moves the `ionImgDidLoad` event emit so that it happens when the image actually finishes loading

fixes #17652 closes #18161

* fix(toast): allow button-color CSS variable to be overridden (#18133)

fixes #18127

* fix(label): use primary color on focus for md input labels (#18183)

fixes #15602

* feat(item-sliding): add open method (#17964)

resolves #17899

* feat(menu-button): add css variables for padding (#18188)

fixes #18187

* feat(card): add button functionality (#17997)

closes #17773

* feat(textarea): add option to expand textarea as value changes (#16916)

* feat(textarea): add autoGrow - set height to scrollHeight

* change 1px to inherit, remove additional 4px

* feat(refresher): add pullFactor property to control speed (#16697)

closes #15425

* fix(input): clear on edit from inside native input (#17115)

fixes #17055

* test(angular): increase timeout for tab switch (#18221)

* fix other merge conflict
liamdebeasi added a commit that referenced this issue May 8, 2019
* Release 4.3.1 (#18152)

* fix(angular): support replaceUrl with angular <7.2 (#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (#18146)

* 4.3.1 (#18150)

* merge release-4.4.0

* docs(process): update release process

* docs(fab-list): update the activated description (#18026)

* docs(breaking): add ionDrag event arguments change (#17989)

* docs(slides): add swiper prefix in animation usage (#18073)

* feat(searchbar): add disabled property (#17935)

closes #17921

* fix(reorder-group): remove required parameter for the complete method (#18084)

also updates documentation surrounding the reorder & infinite scroll

fixes #16302

* docs(components): update method and parameter descriptions (#18075)

* fix(datetime): default to current date when value is null (#18105)

fixes #18099

* docs(toolbar): fix end slot documentation (#18092)

* fix(item): use the global activated background for md ripple color (#16752)

fixes #16585

* fix(textarea): reposition textarea when keybard appears (#18098)

fixes #17847

* fix(button): apply round property to button sizes in iOS (#18125)

fixes #18108

* fix(): add prefixed transform for older versions of chrome (#18128)

fixes #17729

* fix(segment): decrease icon size on ios and stretch segment buttons to fill height (#17751)

fixes #17069

* fix(): sanitize components using innerHTML (#18083)

fixes #18065

* Release 4.3.1 (#18152) (#18154)

* fix(angular): support replaceUrl with angular <7.2 (#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (#18146)

* 4.3.1 (#18150)

* doc(loading): remove mention of undefined "content" property (#18126)

* feat(img): add ionImgWillLoad event and emit ionImgDidLoad when image is loaded (#18159)

- Adds `ionImgWillLoad` event that emits when the img src is set
- Moves the `ionImgDidLoad` event emit so that it happens when the image actually finishes loading

fixes #17652 closes #18161

* fix(toast): allow button-color CSS variable to be overridden (#18133)

fixes #18127

* fix(label): use primary color on focus for md input labels (#18183)

fixes #15602

* feat(item-sliding): add open method (#17964)

resolves #17899

* feat(menu-button): add css variables for padding (#18188)

fixes #18187

* feat(card): add button functionality (#17997)

closes #17773

* feat(textarea): add option to expand textarea as value changes (#16916)

* feat(textarea): add autoGrow - set height to scrollHeight

* change 1px to inherit, remove additional 4px

* feat(refresher): add pullFactor property to control speed (#16697)

closes #15425

* fix(input): clear on edit from inside native input (#17115)

fixes #17055

* test(angular): increase timeout for tab switch (#18221)

* 4.4.0

* fix other merge conflict
liamdebeasi added a commit that referenced this issue May 8, 2019
* Release 4.3.1 (#18152)

* fix(angular): support replaceUrl with angular <7.2 (#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (#18146)

* 4.3.1 (#18150)

* merge release-4.4.0

* docs(process): update release process

* docs(fab-list): update the activated description (#18026)

* docs(breaking): add ionDrag event arguments change (#17989)

* docs(slides): add swiper prefix in animation usage (#18073)

* feat(searchbar): add disabled property (#17935)

closes #17921

* fix(reorder-group): remove required parameter for the complete method (#18084)

also updates documentation surrounding the reorder & infinite scroll

fixes #16302

* docs(components): update method and parameter descriptions (#18075)

* fix(datetime): default to current date when value is null (#18105)

fixes #18099

* docs(toolbar): fix end slot documentation (#18092)

* fix(item): use the global activated background for md ripple color (#16752)

fixes #16585

* fix(textarea): reposition textarea when keybard appears (#18098)

fixes #17847

* fix(button): apply round property to button sizes in iOS (#18125)

fixes #18108

* fix(): add prefixed transform for older versions of chrome (#18128)

fixes #17729

* fix(segment): decrease icon size on ios and stretch segment buttons to fill height (#17751)

fixes #17069

* fix(): sanitize components using innerHTML (#18083)

fixes #18065

* Release 4.3.1 (#18152) (#18154)

* fix(angular): support replaceUrl with angular <7.2 (#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (#18146)

* 4.3.1 (#18150)

* doc(loading): remove mention of undefined "content" property (#18126)

* feat(img): add ionImgWillLoad event and emit ionImgDidLoad when image is loaded (#18159)

- Adds `ionImgWillLoad` event that emits when the img src is set
- Moves the `ionImgDidLoad` event emit so that it happens when the image actually finishes loading

fixes #17652 closes #18161

* fix(toast): allow button-color CSS variable to be overridden (#18133)

fixes #18127

* fix(label): use primary color on focus for md input labels (#18183)

fixes #15602

* feat(item-sliding): add open method (#17964)

resolves #17899

* feat(menu-button): add css variables for padding (#18188)

fixes #18187

* feat(card): add button functionality (#17997)

closes #17773

* feat(textarea): add option to expand textarea as value changes (#16916)

* feat(textarea): add autoGrow - set height to scrollHeight

* change 1px to inherit, remove additional 4px

* feat(refresher): add pullFactor property to control speed (#16697)

closes #15425

* fix(input): clear on edit from inside native input (#17115)

fixes #17055

* test(angular): increase timeout for tab switch (#18221)

* 4.4.0

* chore(): resolve merge conflicts from older hotfix

* docs(process): update release process

* docs(fab-list): update the activated description (#18026)

* docs(breaking): add ionDrag event arguments change (#17989)

* docs(slides): add swiper prefix in animation usage (#18073)

* feat(searchbar): add disabled property (#17935)

closes #17921

* fix(reorder-group): remove required parameter for the complete method (#18084)

also updates documentation surrounding the reorder & infinite scroll

fixes #16302

* docs(components): update method and parameter descriptions (#18075)

* fix(datetime): default to current date when value is null (#18105)

fixes #18099

* docs(toolbar): fix end slot documentation (#18092)

* fix(item): use the global activated background for md ripple color (#16752)

fixes #16585

* fix(textarea): reposition textarea when keybard appears (#18098)

fixes #17847

* fix(button): apply round property to button sizes in iOS (#18125)

fixes #18108

* fix(): add prefixed transform for older versions of chrome (#18128)

fixes #17729

* fix(segment): decrease icon size on ios and stretch segment buttons to fill height (#17751)

fixes #17069

* fix(): sanitize components using innerHTML (#18083)

fixes #18065

* Release 4.3.1 (#18152) (#18154)

* fix(angular): support replaceUrl with angular <7.2 (#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (#18146)

* 4.3.1 (#18150)

* doc(loading): remove mention of undefined "content" property (#18126)

* feat(img): add ionImgWillLoad event and emit ionImgDidLoad when image is loaded (#18159)

- Adds `ionImgWillLoad` event that emits when the img src is set
- Moves the `ionImgDidLoad` event emit so that it happens when the image actually finishes loading

fixes #17652 closes #18161

* fix(toast): allow button-color CSS variable to be overridden (#18133)

fixes #18127

* fix(label): use primary color on focus for md input labels (#18183)

fixes #15602

* feat(item-sliding): add open method (#17964)

resolves #17899

* feat(menu-button): add css variables for padding (#18188)

fixes #18187

* feat(card): add button functionality (#17997)

closes #17773

* feat(textarea): add option to expand textarea as value changes (#16916)

* feat(textarea): add autoGrow - set height to scrollHeight

* change 1px to inherit, remove additional 4px

* feat(refresher): add pullFactor property to control speed (#16697)

closes #15425

* fix(input): clear on edit from inside native input (#17115)

fixes #17055

* test(angular): increase timeout for tab switch (#18221)

* fix other merge conflict
kiku-jw pushed a commit to kiku-jw/ionic that referenced this issue May 16, 2019
kiku-jw pushed a commit to kiku-jw/ionic that referenced this issue May 16, 2019
* Release 4.3.1 (ionic-team#18152)

* fix(angular): support replaceUrl with angular <7.2 (ionic-team#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (ionic-team#18146)

* 4.3.1 (ionic-team#18150)

* merge release-4.4.0

* docs(process): update release process

* docs(fab-list): update the activated description (ionic-team#18026)

* docs(breaking): add ionDrag event arguments change (ionic-team#17989)

* docs(slides): add swiper prefix in animation usage (ionic-team#18073)

* feat(searchbar): add disabled property (ionic-team#17935)

closes ionic-team#17921

* fix(reorder-group): remove required parameter for the complete method (ionic-team#18084)

also updates documentation surrounding the reorder & infinite scroll

fixes ionic-team#16302

* docs(components): update method and parameter descriptions (ionic-team#18075)

* fix(datetime): default to current date when value is null (ionic-team#18105)

fixes ionic-team#18099

* docs(toolbar): fix end slot documentation (ionic-team#18092)

* fix(item): use the global activated background for md ripple color (ionic-team#16752)

fixes ionic-team#16585

* fix(textarea): reposition textarea when keybard appears (ionic-team#18098)

fixes ionic-team#17847

* fix(button): apply round property to button sizes in iOS (ionic-team#18125)

fixes ionic-team#18108

* fix(): add prefixed transform for older versions of chrome (ionic-team#18128)

fixes ionic-team#17729

* fix(segment): decrease icon size on ios and stretch segment buttons to fill height (ionic-team#17751)

fixes ionic-team#17069

* fix(): sanitize components using innerHTML (ionic-team#18083)

fixes ionic-team#18065

* Release 4.3.1 (ionic-team#18152) (ionic-team#18154)

* fix(angular): support replaceUrl with angular <7.2 (ionic-team#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (ionic-team#18146)

* 4.3.1 (ionic-team#18150)

* doc(loading): remove mention of undefined "content" property (ionic-team#18126)

* feat(img): add ionImgWillLoad event and emit ionImgDidLoad when image is loaded (ionic-team#18159)

- Adds `ionImgWillLoad` event that emits when the img src is set
- Moves the `ionImgDidLoad` event emit so that it happens when the image actually finishes loading

fixes ionic-team#17652 closes ionic-team#18161

* fix(toast): allow button-color CSS variable to be overridden (ionic-team#18133)

fixes ionic-team#18127

* fix(label): use primary color on focus for md input labels (ionic-team#18183)

fixes ionic-team#15602

* feat(item-sliding): add open method (ionic-team#17964)

resolves ionic-team#17899

* feat(menu-button): add css variables for padding (ionic-team#18188)

fixes ionic-team#18187

* feat(card): add button functionality (ionic-team#17997)

closes ionic-team#17773

* feat(textarea): add option to expand textarea as value changes (ionic-team#16916)

* feat(textarea): add autoGrow - set height to scrollHeight

* change 1px to inherit, remove additional 4px

* feat(refresher): add pullFactor property to control speed (ionic-team#16697)

closes ionic-team#15425

* fix(input): clear on edit from inside native input (ionic-team#17115)

fixes ionic-team#17055

* test(angular): increase timeout for tab switch (ionic-team#18221)

* 4.4.0

* fix other merge conflict
brandyscarney pushed a commit that referenced this issue May 22, 2019
* docs(process): update release process

* docs(fab-list): update the activated description (#18026)

* docs(breaking): add ionDrag event arguments change (#17989)

* docs(slides): add swiper prefix in animation usage (#18073)

* feat(searchbar): add disabled property (#17935)

closes #17921

* fix(reorder-group): remove required parameter for the complete method (#18084)

also updates documentation surrounding the reorder & infinite scroll

fixes #16302

* docs(components): update method and parameter descriptions (#18075)

* fix(datetime): default to current date when value is null (#18105)

fixes #18099

* docs(toolbar): fix end slot documentation (#18092)

* fix(item): use the global activated background for md ripple color (#16752)

fixes #16585

* fix(textarea): reposition textarea when keybard appears (#18098)

fixes #17847

* fix(button): apply round property to button sizes in iOS (#18125)

fixes #18108

* fix(): add prefixed transform for older versions of chrome (#18128)

fixes #17729

* fix(segment): decrease icon size on ios and stretch segment buttons to fill height (#17751)

fixes #17069

* fix(): sanitize components using innerHTML (#18083)

fixes #18065

* Release 4.3.1 (#18152) (#18154)

* fix(angular): support replaceUrl with angular <7.2 (#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (#18146)

* 4.3.1 (#18150)

* doc(loading): remove mention of undefined "content" property (#18126)

* feat(img): add ionImgWillLoad event and emit ionImgDidLoad when image is loaded (#18159)

- Adds `ionImgWillLoad` event that emits when the img src is set
- Moves the `ionImgDidLoad` event emit so that it happens when the image actually finishes loading

fixes #17652 closes #18161

* fix(toast): allow button-color CSS variable to be overridden (#18133)

fixes #18127

* fix(label): use primary color on focus for md input labels (#18183)

fixes #15602

* feat(item-sliding): add open method (#17964)

resolves #17899

* feat(menu-button): add css variables for padding (#18188)

fixes #18187

* feat(card): add button functionality (#17997)

closes #17773

* feat(textarea): add option to expand textarea as value changes (#16916)

* feat(textarea): add autoGrow - set height to scrollHeight

* change 1px to inherit, remove additional 4px

* feat(refresher): add pullFactor property to control speed (#16697)

closes #15425

* fix(input): clear on edit from inside native input (#17115)

fixes #17055

* test(angular): increase timeout for tab switch (#18221)

* 4.4.0

* Release 4.3.1 (#18152)

* fix(angular): support replaceUrl with angular <7.2 (#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (#18146)

* 4.3.1 (#18150)

* merge release-4.4.0

* docs(process): update release process

* docs(fab-list): update the activated description (#18026)

* docs(breaking): add ionDrag event arguments change (#17989)

* docs(slides): add swiper prefix in animation usage (#18073)

* feat(searchbar): add disabled property (#17935)

closes #17921

* fix(reorder-group): remove required parameter for the complete method (#18084)

also updates documentation surrounding the reorder & infinite scroll

fixes #16302

* docs(components): update method and parameter descriptions (#18075)

* fix(datetime): default to current date when value is null (#18105)

fixes #18099

* docs(toolbar): fix end slot documentation (#18092)

* fix(item): use the global activated background for md ripple color (#16752)

fixes #16585

* fix(textarea): reposition textarea when keybard appears (#18098)

fixes #17847

* fix(button): apply round property to button sizes in iOS (#18125)

fixes #18108

* fix(): add prefixed transform for older versions of chrome (#18128)

fixes #17729

* fix(segment): decrease icon size on ios and stretch segment buttons to fill height (#17751)

fixes #17069

* fix(): sanitize components using innerHTML (#18083)

fixes #18065

* Release 4.3.1 (#18152) (#18154)

* fix(angular): support replaceUrl with angular <7.2 (#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (#18146)

* 4.3.1 (#18150)

* doc(loading): remove mention of undefined "content" property (#18126)

* feat(img): add ionImgWillLoad event and emit ionImgDidLoad when image is loaded (#18159)

- Adds `ionImgWillLoad` event that emits when the img src is set
- Moves the `ionImgDidLoad` event emit so that it happens when the image actually finishes loading

fixes #17652 closes #18161

* fix(toast): allow button-color CSS variable to be overridden (#18133)

fixes #18127

* fix(label): use primary color on focus for md input labels (#18183)

fixes #15602

* feat(item-sliding): add open method (#17964)

resolves #17899

* feat(menu-button): add css variables for padding (#18188)

fixes #18187

* feat(card): add button functionality (#17997)

closes #17773

* feat(textarea): add option to expand textarea as value changes (#16916)

* feat(textarea): add autoGrow - set height to scrollHeight

* change 1px to inherit, remove additional 4px

* feat(refresher): add pullFactor property to control speed (#16697)

closes #15425

* fix(input): clear on edit from inside native input (#17115)

fixes #17055

* test(angular): increase timeout for tab switch (#18221)

* 4.4.0

* fix other merge conflict

* chore(): resolve conflicts from older hotifx

* Release 4.3.1 (#18152)

* fix(angular): support replaceUrl with angular <7.2 (#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (#18146)

* 4.3.1 (#18150)

* merge release-4.4.0

* docs(process): update release process

* docs(fab-list): update the activated description (#18026)

* docs(breaking): add ionDrag event arguments change (#17989)

* docs(slides): add swiper prefix in animation usage (#18073)

* feat(searchbar): add disabled property (#17935)

closes #17921

* fix(reorder-group): remove required parameter for the complete method (#18084)

also updates documentation surrounding the reorder & infinite scroll

fixes #16302

* docs(components): update method and parameter descriptions (#18075)

* fix(datetime): default to current date when value is null (#18105)

fixes #18099

* docs(toolbar): fix end slot documentation (#18092)

* fix(item): use the global activated background for md ripple color (#16752)

fixes #16585

* fix(textarea): reposition textarea when keybard appears (#18098)

fixes #17847

* fix(button): apply round property to button sizes in iOS (#18125)

fixes #18108

* fix(): add prefixed transform for older versions of chrome (#18128)

fixes #17729

* fix(segment): decrease icon size on ios and stretch segment buttons to fill height (#17751)

fixes #17069

* fix(): sanitize components using innerHTML (#18083)

fixes #18065

* Release 4.3.1 (#18152) (#18154)

* fix(angular): support replaceUrl with angular <7.2 (#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (#18146)

* 4.3.1 (#18150)

* doc(loading): remove mention of undefined "content" property (#18126)

* feat(img): add ionImgWillLoad event and emit ionImgDidLoad when image is loaded (#18159)

- Adds `ionImgWillLoad` event that emits when the img src is set
- Moves the `ionImgDidLoad` event emit so that it happens when the image actually finishes loading

fixes #17652 closes #18161

* fix(toast): allow button-color CSS variable to be overridden (#18133)

fixes #18127

* fix(label): use primary color on focus for md input labels (#18183)

fixes #15602

* feat(item-sliding): add open method (#17964)

resolves #17899

* feat(menu-button): add css variables for padding (#18188)

fixes #18187

* feat(card): add button functionality (#17997)

closes #17773

* feat(textarea): add option to expand textarea as value changes (#16916)

* feat(textarea): add autoGrow - set height to scrollHeight

* change 1px to inherit, remove additional 4px

* feat(refresher): add pullFactor property to control speed (#16697)

closes #15425

* fix(input): clear on edit from inside native input (#17115)

fixes #17055

* test(angular): increase timeout for tab switch (#18221)

* 4.4.0

* chore(): resolve merge conflicts from older hotfix

* docs(process): update release process

* docs(fab-list): update the activated description (#18026)

* docs(breaking): add ionDrag event arguments change (#17989)

* docs(slides): add swiper prefix in animation usage (#18073)

* feat(searchbar): add disabled property (#17935)

closes #17921

* fix(reorder-group): remove required parameter for the complete method (#18084)

also updates documentation surrounding the reorder & infinite scroll

fixes #16302

* docs(components): update method and parameter descriptions (#18075)

* fix(datetime): default to current date when value is null (#18105)

fixes #18099

* docs(toolbar): fix end slot documentation (#18092)

* fix(item): use the global activated background for md ripple color (#16752)

fixes #16585

* fix(textarea): reposition textarea when keybard appears (#18098)

fixes #17847

* fix(button): apply round property to button sizes in iOS (#18125)

fixes #18108

* fix(): add prefixed transform for older versions of chrome (#18128)

fixes #17729

* fix(segment): decrease icon size on ios and stretch segment buttons to fill height (#17751)

fixes #17069

* fix(): sanitize components using innerHTML (#18083)

fixes #18065

* Release 4.3.1 (#18152) (#18154)

* fix(angular): support replaceUrl with angular <7.2 (#18106)

* fix(angular): support replaceUrl with angular <7.2

* run linter

* fix(): sanitize components using innerHTML (#18146)

* 4.3.1 (#18150)

* doc(loading): remove mention of undefined "content" property (#18126)

* feat(img): add ionImgWillLoad event and emit ionImgDidLoad when image is loaded (#18159)

- Adds `ionImgWillLoad` event that emits when the img src is set
- Moves the `ionImgDidLoad` event emit so that it happens when the image actually finishes loading

fixes #17652 closes #18161

* fix(toast): allow button-color CSS variable to be overridden (#18133)

fixes #18127

* fix(label): use primary color on focus for md input labels (#18183)

fixes #15602

* feat(item-sliding): add open method (#17964)

resolves #17899

* feat(menu-button): add css variables for padding (#18188)

fixes #18187

* feat(card): add button functionality (#17997)

closes #17773

* feat(textarea): add option to expand textarea as value changes (#16916)

* feat(textarea): add autoGrow - set height to scrollHeight

* change 1px to inherit, remove additional 4px

* feat(refresher): add pullFactor property to control speed (#16697)

closes #15425

* fix(input): clear on edit from inside native input (#17115)

fixes #17055

* test(angular): increase timeout for tab switch (#18221)

* fix other merge conflict

* fix(react): Support for adding css classes via `className` in Ionic React components (#18231)

* fix(react): adding classname to react props

* fix(react): updating rtl to latest to fix ts error

* fix(react): changes to support className

* fix(loading): allow html content (#18242)

fixes #18135

* fix(icon): remove stroke and move fill to host element (#18241)

This removes the weird border around custom SVGs used in an ion-icon.

fixes #16483

* bug(security): allow name and slot attributes when sanitizing (#18246)

* allow name attribute

* also add slot

* fix(input): keep entire input in view when scrolling with keyboard open (#18253)

fixes #17457

* fix(tab-button): apply background-focused when tabbing into tab button (#17502)

fixes #17042

* test(theming): update theming tests

* fix(react): defaultHref fixes (#18278)

* fix(react): making children prop optional on overlay components

* fix(react): passing in defaultHref so it can be used if there is no prev view

* fix(react): making children prop optional on overlay components (#18243)

* fix(buttons): use theme/color toolbar colors for buttons (#18191)

- Updates the iOS buttons in a toolbar to use the proper global theming variables
- Updates the iOS segment to use the correct background variable when checked
- Updates the iOS back button and menu button to use the proper color in a toolbar
- Updates the iOS buttons in a toolbar w/ color to use the proper contrast colors (background, borders, text, hover, focus), mostly solid and outline buttons were affected
- Updates the CSS that applies the global toolbar variables so that it won't affect toolbars w/ a color

fixes #18184, fixes #17840

* fix(overlay): hide scrollbars on non-scrollable content (#16767)

fixes #14178

* fix(slides): disable swiper touch preventDefault (#16728)

* fix(slides): disable swiper touch preventDefault

* fix(slides): update Swiper types

* add screenshots to test

* add screenshot descriptions

* fix(toolbar): update md toolbar button spacing and padding to match spec (#17537)

- Removes the padding from the main toolbar and individually style the components inside of it
- Adds a `has-icon-only` class to button, this is used to switch between `unbounded` and `bounded` ripples on buttons in a toolbar. If the button is clear and only has an icon, we use the unbounded "circular" ripple effect, otherwise still use the bounded one. This matches the MD spec, without making the other buttons look off.
- Using the class above, style the button differently to match the MD spec
- Updates the back button and menu button to use the proper size / icon size
- Removes the opacity on an activated back button, it should use the ripple for activated
- Moves the margin to the slots in a toolbar by grabbing the "first" and "last" slot and applying a class to them
- Makes the segment in a toolbar use the min height from the toolbar
- Updates the back button so that it matches the MD spec
- Updates the header box shadow to use the old v3 datauri 

fixes #16950 fixes #14444

* fix(tabs): initialize select in the willLoad before the select call is made (#18300)

#17957

* fix(angular): preserve queryParams and fragment when going back (#18298)

fixes #16744

* fix(angular): ensure active page is not removed from change detection (#18299)

fixes #18293

* docs(toast-controller): fix description typo  (#18312)

Fix typo in component description text.

* test(components): add rtl tests and remove skips (#18319)

references #17012

* fix(css): update rtl function to prepend selectors with host-context properly (#18315)

references #17012

* chore(): remove debug and log statements (#18245)

fixes #18190

* docs(datetime): add note about timezones, fix typo (#18289)

* fix(range): update border-radius on range pin for rtl (#18321)

references #17012

* fix(angular): preserve special characters encoding when going back (#18323)

* fix(rtl): updates searchbar, fab and toggle icon positioning in rtl (#18325)

- fixes tab badge (in Chrome)
- fixes searchbar buttons
- fixes fab positioning
- fixes toggle

references #17012

* fix(segment): update segment border for rtl (#18326)

references #17012

* fix(datetime): update label direction in rtl (#18340)

* fix(picker): update the column positions in rtl (#18339)

references #17012

* fix(button): only apply has-icon-only if icon has the slot for icon-only (#18343)

fixes #18329

* tests(): add missing test statements (#18346)

* 4.4.1

* remove react changelog
@ionitron-bot
Copy link

ionitron-bot bot commented May 26, 2019

Thanks for the issue! This issue is being locked to prevent comments that are not relevant to the original issue. If this is still an issue with the latest version of Ionic, please create a new issue and ensure the template is fully filled out.

@ionitron-bot ionitron-bot bot locked and limited conversation to collaborators May 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
package: core @ionic/core package type: bug a confirmed bug report
Projects
None yet
Development

No branches or pull requests

3 participants