[ACS-5395] Fixed possibility to containing script by string (#8696)

* ACS-5395 Fixed possibility to containing script by string * ACS-5395 Fixed possibility to containing script by string
Alfresco · Jun 27, 2023 · be896b5 · be896b5
1 parent 1078e27
commit be896b5
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/lib/core/src/lib/common/services/highlight-transform.service.ts b/lib/core/src/lib/common/services/highlight-transform.service.ts
@@ -15,7 +15,8 @@
  * limitations under the License.
  */
 
-import { Injectable } from '@angular/core';
+import { Injectable, SecurityContext } from '@angular/core';
+import { DomSanitizer } from '@angular/platform-browser';
 
 export interface HighlightTransformResult {
     text: string;
@@ -27,6 +28,8 @@ export interface HighlightTransformResult {
 })
 export class HighlightTransformService {
 
+    constructor(private sanitizer: DomSanitizer) {}
+
     /**
      * Searches for `search` string(s) within `text` and highlights all occurrences.
      *
@@ -44,7 +47,7 @@ export class HighlightTransformService {
             pattern = pattern.split(' ').filter((t) => t.length > 0).join('|');
 
             const regex = new RegExp(pattern, 'gi');
-            result = text.replace(/<[^>]+>/g, '').replace(regex, (match) => {
+            result = this.sanitizer.sanitize(SecurityContext.HTML, text).replace(regex, (match) => {
                 isMatching = true;
                 return `<span class="${wrapperClass}">${match}</span>`;
             });