From 8fba7449e4cbea2de7f3787952fe94a2b9de02f8 Mon Sep 17 00:00:00 2001 From: Mykyta Maliarchuk <84377976+nikita-web-ua@users.noreply.github.com> Date: Tue, 4 Jul 2023 15:30:44 +0200 Subject: [PATCH] [ACS-5401] Fix unsafe HTML constructed from library input (#8725) * [ACS-5401] sucurity fix * [ACS-5401] fix tests * [ACS-5401] security fix --- .../content-user-info/content-user-info.component.html | 8 ++++---- lib/core/src/lib/pipes/user-initial.pipe.ts | 7 ++++++- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/lib/content-services/src/lib/content-user-info/content-user-info.component.html b/lib/content-services/src/lib/content-user-info/content-user-info.component.html index 71f86a89ca..216b225280 100644 --- a/lib/content-services/src/lib/content-user-info/content-user-info.component.html +++ b/lib/content-services/src/lib/content-user-info/content-user-info.component.html @@ -1,8 +1,8 @@ -
diff --git a/lib/core/src/lib/pipes/user-initial.pipe.ts b/lib/core/src/lib/pipes/user-initial.pipe.ts index e76844b123..6aec8cbacf 100644 --- a/lib/core/src/lib/pipes/user-initial.pipe.ts +++ b/lib/core/src/lib/pipes/user-initial.pipe.ts @@ -31,7 +31,12 @@ export class InitialUsernamePipe implements PipeTransform { let safeHtml: SafeHtml = ''; if (user) { const initialResult = this.getInitialUserName(user.firstName || user.displayName || user.username, user.lastName, delimiter); - safeHtml = this.sanitized.bypassSecurityTrustHtml(`
${initialResult}
`); + const div = document.createElement('div'); + div.innerText = initialResult; + div.dataset.automationId = 'user-initials-image'; + div.className = className; + + safeHtml = this.sanitized.bypassSecurityTrustHtml(div.outerHTML); } return safeHtml; }