fix(security): sanitize HTML in toggleEditorMode() to prevent XSS (#587)

* bugfix added sanitization html preview to text.

* Added sanitization in oContent

---------

Co-authored-by: MarioTesoro <mario@kraken.localdomain>

Author: MarioTesoro

projects/angular-editor/src/lib/editor/angular-editor.component.ts

@@ -353,11 +353,20 @@ export class AngularEditorComponent implements OnInit, ControlValueAccessor, Aft
       oCode.focus();
     } else {
       if (this.doc.querySelectorAll) {
+        // if sanitize: true the html element, from preview to text, is sanitized according the sanitizer config. 
+        if(this.config.sanitize !== false){
+          editableElement.innerText = this.sanitizer.sanitize(SecurityContext.HTML, editableElement.innerText)
+        }
         this.r.setProperty(editableElement, 'innerHTML', editableElement.innerText);
       } else {
         oContent = this.doc.createRange();
         oContent.selectNodeContents(editableElement.firstChild);
-        this.r.setProperty(editableElement, 'innerHTML', oContent.toString());
+        let oContentString = oContent.toString()
+        // if sanitize: true the oContent is sanitized according the sanitizer config. 
+        if(this.config.sanitize !== false){
+          oContentString = this.sanitizer.sanitize(SecurityContext.HTML, oContentString)
+        }
+        this.r.setProperty(editableElement, 'innerHTML', oContentString);
       }
       this.r.setProperty(editableElement, 'contentEditable', true);
       this.modeVisual = true;