mirror of
				https://github.com/Alfresco/alfresco-ng2-components.git
				synced 2025-10-22 15:11:57 +00:00 
			
		
		
		
	[ACS-5399] Fix incomplete multi-character sanitization (#8707)
* [ACS-5399] sanitization fix * [ACS-5399] sanitization fix * [ACS-5399] sanitization fix * [ACS-5399] sanitization fix * [ACS-5399] sanitization fix for comments.component * [ACS-5399] sanitization fix for highlight-transform.service * [ACS-5399] sanitization fix * [ACS-5399] sanitization highlight-transform.service * [ACS-5399] removed empty contructor * [ACS-5399] linting * [ACS-5399] fixed unit test * [ACS-5399] linting * [ACS-5399] fixed e2e * [ACS-5399] added unit test to core * [ACS-5399] added unit test to core * [ACS-5399] test fix
This commit is contained in:
		
				
					committed by
					
						 GitHub
						GitHub
					
				
			
			
				
	
			
			
			
						parent
						
							dc06accace
						
					
				
				
					commit
					54542c8b2b
				
			| @@ -150,7 +150,8 @@ describe('Comment', () => { | |||||||
|             await expect(await commentsPage.getTime(0)).toMatch(/(ago|few)/); |             await expect(await commentsPage.getTime(0)).toMatch(/(ago|few)/); | ||||||
|         }); |         }); | ||||||
|  |  | ||||||
|         it('[C280022] Should not be able to add an HTML or other code input into the comment input filed', async () => { |         it('[C280022] Should treat HTML code as a regular string', async () => { | ||||||
|  |             const resultStr = comments.codeType.replace(/\s\s+/g, ' '); | ||||||
|             await viewerPage.viewFile(pngFileModel.name); |             await viewerPage.viewFile(pngFileModel.name); | ||||||
|             await viewerPage.clickInfoButton(); |             await viewerPage.clickInfoButton(); | ||||||
|             await viewerPage.checkInfoSideBarIsDisplayed(); |             await viewerPage.checkInfoSideBarIsDisplayed(); | ||||||
| @@ -160,7 +161,7 @@ describe('Comment', () => { | |||||||
|             await commentsPage.checkUserIconIsDisplayed(); |             await commentsPage.checkUserIconIsDisplayed(); | ||||||
|  |  | ||||||
|             await commentsPage.getTotalNumberOfComments('Comments (1)'); |             await commentsPage.getTotalNumberOfComments('Comments (1)'); | ||||||
|             await expect(await commentsPage.getMessage(0)).toEqual('First name: Last name:'); |             await expect(await commentsPage.getMessage(0)).toEqual(resultStr); | ||||||
|             await expect(await commentsPage.getUserName(0)).toEqual(userFullName); |             await expect(await commentsPage.getUserName(0)).toEqual(userFullName); | ||||||
|             await expect(await commentsPage.getTime(0)).toMatch(/(ago|few)/); |             await expect(await commentsPage.getTime(0)).toMatch(/(ago|few)/); | ||||||
|         }); |         }); | ||||||
|   | |||||||
| @@ -173,8 +173,8 @@ describe('CommentsComponent', () => { | |||||||
|  |  | ||||||
|             fixture.detectChanges(); |             fixture.detectChanges(); | ||||||
|             await fixture.whenStable(); |             await fixture.whenStable(); | ||||||
|  |             const sanitizedStr = '<div class="text-class"><button onclick=""><h1>action</h1></button></div>'; | ||||||
|             expect(addCommentSpy).toHaveBeenCalledWith('123', 'action'); |             expect(addCommentSpy).toHaveBeenCalledWith('123', sanitizedStr); | ||||||
|         }); |         }); | ||||||
|  |  | ||||||
|         it('should normalize comment when user input contains spaces sequence', async () => { |         it('should normalize comment when user input contains spaces sequence', async () => { | ||||||
|   | |||||||
| @@ -175,8 +175,9 @@ export class CommentsComponent implements OnChanges { | |||||||
|     } |     } | ||||||
|  |  | ||||||
|     private sanitize(input: string): string { |     private sanitize(input: string): string { | ||||||
|         return input.replace(/<[^>]+>/g, '') |         return input.replace(/^\s+|\s+$|\s+(?=\s)/g, '') | ||||||
|             .replace(/^\s+|\s+$|\s+(?=\s)/g, '') |             .replace(/&/g, '&').replace(/</g, '<') | ||||||
|             .replace(/\r?\n/g, '<br/>'); |             .replace(/>/g, '>').replace(/"/g, '"') | ||||||
|  |             .replace(/'/g, ''').replace(/\r?\n/g, '<br/>'); | ||||||
|     } |     } | ||||||
| } | } | ||||||
|   | |||||||
| @@ -15,8 +15,7 @@ | |||||||
|  * limitations under the License. |  * limitations under the License. | ||||||
|  */ |  */ | ||||||
|  |  | ||||||
| import { Injectable, SecurityContext } from '@angular/core'; | import { Injectable } from '@angular/core'; | ||||||
| import { DomSanitizer } from '@angular/platform-browser'; |  | ||||||
|  |  | ||||||
| export interface HighlightTransformResult { | export interface HighlightTransformResult { | ||||||
|     text: string; |     text: string; | ||||||
| @@ -28,8 +27,6 @@ export interface HighlightTransformResult { | |||||||
| }) | }) | ||||||
| export class HighlightTransformService { | export class HighlightTransformService { | ||||||
|  |  | ||||||
|     constructor(private sanitizer: DomSanitizer) {} |  | ||||||
|  |  | ||||||
|     /** |     /** | ||||||
|      * Searches for `search` string(s) within `text` and highlights all occurrences. |      * Searches for `search` string(s) within `text` and highlights all occurrences. | ||||||
|      * |      * | ||||||
| @@ -47,14 +44,17 @@ export class HighlightTransformService { | |||||||
|             pattern = pattern.split(' ').filter((t) => t.length > 0).join('|'); |             pattern = pattern.split(' ').filter((t) => t.length > 0).join('|'); | ||||||
|  |  | ||||||
|             const regex = new RegExp(pattern, 'gi'); |             const regex = new RegExp(pattern, 'gi'); | ||||||
|             result = this.sanitizer.sanitize(SecurityContext.HTML, text).replace(regex, (match) => { |             result = this.removeHtmlTags(text).replace(regex, (match) => { | ||||||
|                 isMatching = true; |                 isMatching = true; | ||||||
|                 return `<span class="${wrapperClass}">${match}</span>`; |                 return `<span class="${wrapperClass}">${match}</span>`; | ||||||
|             }); |             }); | ||||||
|  |  | ||||||
|             return { text: result, changed: isMatching }; |             return { text: result, changed: isMatching }; | ||||||
|         } else { |         } else { | ||||||
|             return { text: result, changed: isMatching }; |             return { text: result, changed: isMatching }; | ||||||
|         } |         } | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |     private removeHtmlTags(text: string): string { | ||||||
|  |         return text.split('>').pop().split('<')[0]; | ||||||
|  |     } | ||||||
| } | } | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user