ngSanitize can make input placeholder modiafiable in Internet Explorer 11

[floftar]

Do you want to request a feature or report a bug?

Report a bug.

What is the current behavior?

ngSanitize can make input placeholder modiafiable in Internet Explorer 11 if input element's parent has disabled attribute. User can click input and start modifying placeholder text. Without ngSanitize input is simply disabled in Internet Explorer 11.

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem via https://plnkr.co or similar (template: http://plnkr.co/edit/tpl:yBpEi4).

<!DOCTYPE html>
<html ng-app="customApp">
  <head>
    <title>Internet Explorer 11 and input placeholder</title>
  </head>
  <body disabled>
    <input type="text" size="60" placeholder="Placeholder can be modified in Internet Explorer 11">

    <script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js"></script>
    <script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular-sanitize.min.js"></script>
    <script>

    angular.module('customApp', ['ngSanitize']);

    </script>
  </body>
</html>

What is the expected behavior?

Input with placeholder would behave identically as plain HTML without AngularJS (i.e., input is simply disabled).

Which versions of AngularJS, and which browser / OS are affected by this issue? Did this work in previous versions of AngularJS? Please also test with the latest stable and snapshot (https://code.angularjs.org/snapshot/) versions.

AngularJS: 1.6.1, 1.6.2 and snapshot (build.5274+sha.79c4a71)
Internet Explorer 11 - versions 11.0.9600.18524 and 11.0.9600.18537

[Narretz]

Hi,
there are a few things going on here, but essentially, this is a bug in IE11 and has nothing to do with AngularJS. You can remove ngSanitize and AngularJS completely and you will see the same behavior.

Also, putting disabled on the body is not suppowed to disable the children that are input elements. No other browser does anything when you do that. It looks like IE has a bug there.

in conclusion, it's a bug and if don't put disabled on parent elements, and this should not affect you.

[floftar]

Hi,

I agree that Internet Explorer 11 behaves strange. However if I change line with angular.module in my above example to:

angular.module('customApp', []);

Placeholder cannot be anymore modified. At least for me and that is why I thought it has to do something with AngularJS.

Using disabled in body was for providing a minimal example. You could for example have disabled as binding in your component:

<!DOCTYPE html>
<html ng-app="customApp">
  <head>
    <title>IE 11 and input placeholder</title>
  </head>
  <body>
    <custom-input disabled="true"></custom-input>

    <script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js"></script>
    <script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular-sanitize.min.js"></script>
    <script>

    angular.module('customApp', ['ngSanitize']).component('customInput', {
      bindings: {
        disabled: '<'
      },

      template: '<fieldset ng-disabled="$ctrl.disabled"><input type="text" placeholder="Placeholder"></fieldset>'
    });

    </script>
  </body>
</html>

In above example you get similar behavior with Internet Explorer 11 and Chrome 56 but placeholder text can be modified in Internet Explorer. However behavior is same for both browsers if ngSanitize is not used:

angular.module('customApp', []).component('customInput', {...

[Narretz]

Ok, I was testing in IE11 11.576.14393.0, Update Version 11.0.38 and there was no difference with / without ngSanitize. Your and my version numbers looks quite different, so I can't say which was is newer.

It's also possible that I didn't correctly translate your example to this plnkr which I used to test: http://plnkr.co/edit/jDJv5NtwwDSsp9hRT2rf?p=preview Can you check if this fails for you in IE11?

It's always better to provide a runnable example instead of just the code.

That said, I don't think this is something we can / should fix, since the workaround is simple.

[floftar]

Thank you for example code. Internet Explorer behaves as I described earlier, but there is a catch. If I run the Plunker as such it does not work. You have to open the resulting iframe (right side, http://run.plnkr.co/...) in the browser and then you can see the behavior I described. At least in my Internet Explorer. I have no idea why the app cannot be in iframe.

Behavior can be changed by modifying app.js line 1:

var app = angular.module('plunker', ['ngSanitize']);

vs

var app = angular.module('plunker', []);

I agree that this is probably something that is not even worth trying to fix, but I wanted to bring this up just in case. My latter example is maybe a bit more concrete where somebody could use disabled as custom element attribute and might be surprised how Internet Explorer works.

[Narretz]

FWIW, there's no change for me when I switch to run.plnkr ...

[floftar]

Thanks for investigating this problem.