I\'m using polymer-jsonp to perform JSONP requests, but the response sometimes contains html.
For example, supposing that post.content is \"Foo&l
Polymer will not stamp unescaped HTML via data-binding because it becomes a vulnerability for XSS attacks.
There are talks ongoing about making it possible to stamp HTML under limited circumstance, or to allow for customized filtering, but this is not implemented yet at the data layer.
It is possible to do what you want today using an additional custom element, but again, be advised of the potential for bad things to happen if you render untrusted HTML into your page.
Here is an example that shows this technique:
http://jsbin.com/durajiwo/1/edit
For those look for polymer 1.0
<dom-module id="html-echo">
<style>
:host {
display: block;
}
</style>
<template>
</template>
</dom-module>
<script>
(function () {
Polymer({
is: 'html-echo',
properties: {
html: {
type: String,
observer: '_htmlChanged'
}
},
_htmlChanged: function (neo) {
// WARNING: potential XSS vulnerability if `html` comes from an untrusted source
this.innerHTML = neo;
}
});
})();
</script>
If you're sure it is what you want to do, just use innerHTML
.
_renderHtml: function(html) {
this.$.dynamicHtmlContainer.innerHTML = html;
}
Or to dynamically add a shadow-dom child:
_renderHtml: function(html) {
var div = document.createElement('div');
div.innerHTML = html;
Polymer.dom(this).appendChild(div);
}
I think Polymer.dom
is being removed in Polymer 2.0 though.