[ACS-10116] [ACA] Search page renders HTML from the Description,Title field instead of showing it as plain text

2025-09-17 14:21:14 +00:00 · 2025-09-17 13:26:18 +02:00
parent 66720be7c0
commit 7af7c46baf
1 changed files with 75 additions and 1 deletions
--- a/projects/aca-content/src/lib/components/search/search-results-row/search-results-row.component.spec.ts
+++ b/projects/aca-content/src/lib/components/search/search-results-row/search-results-row.component.spec.ts
@@ -133,8 +133,82 @@ describe('SearchResultsRowComponent', () => {

  it('should pass node to badge component', () => {
    component.context = { row: { node: nodeEntry } };
+    fixture.detectChanges();
+
    const badgeElement = fixture.debugElement.query(By.css('aca-datatable-cell-badges'));
    expect(badgeElement).not.toBe(null);
-    expect(badgeElement.componentInstance.node).toBe(component.context.node);
+    expect(badgeElement.componentInstance.node).toBe(component.context.row.node);
+  });
+
+  it('should escape plain < and > in values', (done) => {
+    const customEntry: ResultSetRowEntry = {
+      entry: {
+        ...nodeEntry.entry,
+        name: '2 < 5 > 3',
+        search: { score: 5 }
+      }
+    } as ResultSetRowEntry;
+
+    component.context = { row: { node: customEntry } };
+    component.name$
+      .asObservable()
+      .pipe(first())
+      .subscribe(() => {
+        fixture.detectChanges();
+
+        const nameElement: HTMLSpanElement = fixture.debugElement.query(By.css('.aca-link.aca-crop-text')).nativeElement;
+        expect(nameElement.innerHTML).toBe('2 &lt; 5 &gt; 3');
+        expect(nameElement.textContent).toBe('2 < 5 > 3');
+        done();
+      });
+    fixture.detectChanges();
+  });
+
+  it('should not render script tags as HTML', (done) => {
+    const customEntry: ResultSetRowEntry = {
+      entry: {
+        ...nodeEntry.entry,
+        name: '<script>alert("xss")</script>',
+        search: { score: 5 }
+      }
+    } as ResultSetRowEntry;
+
+    component.context = { row: { node: customEntry } };
+    component.name$
+      .asObservable()
+      .pipe(first())
+      .subscribe(() => {
+        fixture.detectChanges();
+
+        const nameElement: HTMLSpanElement = fixture.debugElement.query(By.css('.aca-link.aca-crop-text')).nativeElement;
+        expect(nameElement.innerHTML).toContain('&lt;script&gt;alert("xss")&lt;/script&gt;');
+        expect(nameElement.textContent).toBe('<script>alert("xss")</script>');
+        done();
+      });
+    fixture.detectChanges();
+  });
+
+  it('should allow highlight spans but escape other tags', (done) => {
+    const customEntry: ResultSetRowEntry = {
+      entry: {
+        ...nodeEntry.entry,
+        name: '<b><span class="aca-highlight">BoldHighlight</span></b>',
+        search: { score: 5 }
+      }
+    } as ResultSetRowEntry;
+
+    component.context = { row: { node: customEntry } };
+    component.name$
+      .asObservable()
+      .pipe(first())
+      .subscribe(() => {
+        fixture.detectChanges();
+
+        const nameElement: HTMLSpanElement = fixture.debugElement.query(By.css('.aca-link.aca-crop-text')).nativeElement;
+        expect(nameElement.innerHTML).toBe('&lt;b&gt;<span class="aca-highlight">BoldHighlight</span>&lt;/b&gt;');
+        expect(nameElement.textContent).toBe('<b>BoldHighlight</b>');
+        done();
+      });
+    fixture.detectChanges();
  });
 });