From 3066250fac5b90fc3eeda1662fbdeea1da294e40 Mon Sep 17 00:00:00 2001
From: Stefan Hauke <s.hauke@intershop.de>
Date: Tue, 16 Jan 2024 11:40:28 +0100
Subject: [PATCH] fix: prevent HTML injection on no search result page and
 account overview (#1575)

---
 .../account-overview/account-overview.component.html         | 2 +-
 .../account-overview/account-overview.component.spec.ts      | 2 ++
 .../search/search-no-result/search-no-result.component.html  | 5 ++++-
 .../search-no-result/search-no-result.component.spec.ts      | 4 +++-
 src/styles/pages/category/search-result.scss                 | 2 +-
 5 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/app/pages/account-overview/account-overview/account-overview.component.html b/src/app/pages/account-overview/account-overview/account-overview.component.html
index 65bc3d0d08..b8bd20a360 100644
--- a/src/app/pages/account-overview/account-overview/account-overview.component.html
+++ b/src/app/pages/account-overview/account-overview/account-overview.component.html
@@ -2,7 +2,7 @@
   <h1
     [innerHTML]="
       'account.overview.personal_message_b2b.text'
-        | translate : { '0': user.firstName + '&nbsp;' + user.lastName, '1': customer.companyName }
+        | translate : { '0': user.firstName + '&nbsp;' + user.lastName, '1': customer.companyName | htmlEncode }
     "
     data-testing-id="personal-message-b2b"
   ></h1>
diff --git a/src/app/pages/account-overview/account-overview/account-overview.component.spec.ts b/src/app/pages/account-overview/account-overview/account-overview.component.spec.ts
index 76e287a03a..d193e7aeb9 100644
--- a/src/app/pages/account-overview/account-overview/account-overview.component.spec.ts
+++ b/src/app/pages/account-overview/account-overview/account-overview.component.spec.ts
@@ -10,6 +10,7 @@ import { ServerHtmlDirective } from 'ish-core/directives/server-html.directive';
 import { FeatureToggleModule } from 'ish-core/feature-toggle.module';
 import { Customer } from 'ish-core/models/customer/customer.model';
 import { User } from 'ish-core/models/user/user.model';
+import { HtmlEncodePipe } from 'ish-core/pipes/html-encode.pipe';
 import { ServerSettingPipe } from 'ish-core/pipes/server-setting.pipe';
 import { RoleToggleModule } from 'ish-core/role-toggle.module';
 import { OrderWidgetComponent } from 'ish-shared/components/order/order-widget/order-widget.component';
@@ -38,6 +39,7 @@ describe('Account Overview Component', () => {
         MockComponent(OrderWidgetComponent),
         MockDirective(AuthorizationToggleDirective),
         MockDirective(ServerHtmlDirective),
+        MockPipe(HtmlEncodePipe),
         MockPipe(ServerSettingPipe, () => true),
       ],
       imports: [FeatureToggleModule.forTesting(), RoleToggleModule.forTesting(), TranslateModule.forRoot()],
diff --git a/src/app/pages/search/search-no-result/search-no-result.component.html b/src/app/pages/search/search-no-result/search-no-result.component.html
index e0e87b0ee7..c9d6e24845 100644
--- a/src/app/pages/search/search-no-result/search-no-result.component.html
+++ b/src/app/pages/search/search-no-result/search-no-result.component.html
@@ -11,7 +11,10 @@ <h1 class="h2">{{ 'search.noResult.heading' | translate }}</h1>
     <ish-content-include includeId="include.searchnoresult.content.top.pagelet2-Include" />
   </div>
 
-  <p class="no-search-result-title" [innerHTML]="'search.noResult.message' | translate : { '0': searchTerm }"></p>
+  <p
+    class="no-search-result-title"
+    [innerHTML]="'search.noResult.message' | translate : { '0': searchTerm | htmlEncode }"
+  ></p>
 
   <div class="search-container main-search-container">
     <ish-search-box
diff --git a/src/app/pages/search/search-no-result/search-no-result.component.spec.ts b/src/app/pages/search/search-no-result/search-no-result.component.spec.ts
index 3c087dea0f..db51ff152c 100644
--- a/src/app/pages/search/search-no-result/search-no-result.component.spec.ts
+++ b/src/app/pages/search/search-no-result/search-no-result.component.spec.ts
@@ -1,7 +1,8 @@
 import { ComponentFixture, TestBed } from '@angular/core/testing';
 import { TranslateModule, TranslateService } from '@ngx-translate/core';
-import { MockComponent } from 'ng-mocks';
+import { MockComponent, MockPipe } from 'ng-mocks';
 
+import { HtmlEncodePipe } from 'ish-core/pipes/html-encode.pipe';
 import { ContentIncludeComponent } from 'ish-shared/cms/components/content-include/content-include.component';
 import { BreadcrumbComponent } from 'ish-shared/components/common/breadcrumb/breadcrumb.component';
 import { SearchBoxComponent } from 'ish-shared/components/search/search-box/search-box.component';
@@ -21,6 +22,7 @@ describe('Search No Result Component', () => {
         MockComponent(BreadcrumbComponent),
         MockComponent(ContentIncludeComponent),
         MockComponent(SearchBoxComponent),
+        MockPipe(HtmlEncodePipe, value => value),
         SearchNoResultComponent,
       ],
     }).compileComponents();
diff --git a/src/styles/pages/category/search-result.scss b/src/styles/pages/category/search-result.scss
index 19898d3550..e9a5144fbb 100644
--- a/src/styles/pages/category/search-result.scss
+++ b/src/styles/pages/category/search-result.scss
@@ -15,7 +15,7 @@
 
 .no-search-result-title {
   span {
-    font-size: $font-size-lg;
+    font-family: $font-family-bold;
   }
 }