fix: prevent HTML injection on no search result page and account over…

…view (#1575)
intershop · Jan 16, 2024 · 3066250 · 3066250
1 parent c99e1d0
commit 3066250
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 4 deletions.
diff --git a/src/app/pages/account-overview/account-overview/account-overview.component.html b/src/app/pages/account-overview/account-overview/account-overview.component.html
@@ -2,7 +2,7 @@
   <h1
     [innerHTML]="
       'account.overview.personal_message_b2b.text'
-        | translate : { '0': user.firstName + '&nbsp;' + user.lastName, '1': customer.companyName }
+        | translate : { '0': user.firstName + '&nbsp;' + user.lastName, '1': customer.companyName | htmlEncode }
     "
     data-testing-id="personal-message-b2b"
   ></h1>

diff --git a/src/app/pages/account-overview/account-overview/account-overview.component.spec.ts b/src/app/pages/account-overview/account-overview/account-overview.component.spec.ts
@@ -10,6 +10,7 @@ import { ServerHtmlDirective } from 'ish-core/directives/server-html.directive';
 import { FeatureToggleModule } from 'ish-core/feature-toggle.module';
 import { Customer } from 'ish-core/models/customer/customer.model';
 import { User } from 'ish-core/models/user/user.model';
+import { HtmlEncodePipe } from 'ish-core/pipes/html-encode.pipe';
 import { ServerSettingPipe } from 'ish-core/pipes/server-setting.pipe';
 import { RoleToggleModule } from 'ish-core/role-toggle.module';
 import { OrderWidgetComponent } from 'ish-shared/components/order/order-widget/order-widget.component';
@@ -38,6 +39,7 @@ describe('Account Overview Component', () => {
         MockComponent(OrderWidgetComponent),
         MockDirective(AuthorizationToggleDirective),
         MockDirective(ServerHtmlDirective),
+        MockPipe(HtmlEncodePipe),
         MockPipe(ServerSettingPipe, () => true),
       ],
       imports: [FeatureToggleModule.forTesting(), RoleToggleModule.forTesting(), TranslateModule.forRoot()],

diff --git a/src/app/pages/search/search-no-result/search-no-result.component.html b/src/app/pages/search/search-no-result/search-no-result.component.html
@@ -11,7 +11,10 @@ <h1 class="h2">{{ 'search.noResult.heading' | translate }}</h1>
     <ish-content-include includeId="include.searchnoresult.content.top.pagelet2-Include" />
   </div>
 
-  <p class="no-search-result-title" [innerHTML]="'search.noResult.message' | translate : { '0': searchTerm }"></p>
+  <p
+    class="no-search-result-title"
+    [innerHTML]="'search.noResult.message' | translate : { '0': searchTerm | htmlEncode }"
+  ></p>
 
   <div class="search-container main-search-container">
     <ish-search-box

diff --git a/src/app/pages/search/search-no-result/search-no-result.component.spec.ts b/src/app/pages/search/search-no-result/search-no-result.component.spec.ts
@@ -1,7 +1,8 @@
 import { ComponentFixture, TestBed } from '@angular/core/testing';
 import { TranslateModule, TranslateService } from '@ngx-translate/core';
-import { MockComponent } from 'ng-mocks';
+import { MockComponent, MockPipe } from 'ng-mocks';
 
+import { HtmlEncodePipe } from 'ish-core/pipes/html-encode.pipe';
 import { ContentIncludeComponent } from 'ish-shared/cms/components/content-include/content-include.component';
 import { BreadcrumbComponent } from 'ish-shared/components/common/breadcrumb/breadcrumb.component';
 import { SearchBoxComponent } from 'ish-shared/components/search/search-box/search-box.component';
@@ -21,6 +22,7 @@ describe('Search No Result Component', () => {
         MockComponent(BreadcrumbComponent),
         MockComponent(ContentIncludeComponent),
         MockComponent(SearchBoxComponent),
+        MockPipe(HtmlEncodePipe, value => value),
         SearchNoResultComponent,
       ],
     }).compileComponents();

diff --git a/src/styles/pages/category/search-result.scss b/src/styles/pages/category/search-result.scss
@@ -15,7 +15,7 @@
 
 .no-search-result-title {
   span {
-    font-size: $font-size-lg;
+    font-family: $font-family-bold;
   }
 }