UI: Fixed reflected html injection via login error

2023-10-25 11:44:06 +03:00 · 2023-10-25 11:44:06 +03:00 · 0ebe320421
commit 0ebe320421
parent c238576e54
3 changed files with 9 additions and 2 deletions
--- a/ui-ngx/src/app/core/auth/auth.service.ts
+++ b/ui-ngx/src/app/core/auth/auth.service.ts
@ -370,7 +370,8 @@ export class AuthService {
          data: {
            title: translations['login.error'],
            message: loginError,
-            ok: translations['action.close']
+            ok: translations['action.close'],
+            textMode: true
          }
        };
        this.dialog.open(AlertDialogComponent, dialogConfig);
--- a/ui-ngx/src/app/shared/components/dialog/alert-dialog.component.html
+++ b/ui-ngx/src/app/shared/components/dialog/alert-dialog.component.html
@ -16,7 +16,12 @@

 -->
 <h2 mat-dialog-title>{{data.title}}</h2>
-<div mat-dialog-content [innerHTML]="data.message | safe:'html'"></div>
+<ng-container *ngIf="data.textMode; else htmlMode">
+  <div mat-dialog-content [innerText]="data.message"></div>
+</ng-container>
+<ng-template #htmlMode>
+  <div mat-dialog-content [innerHTML]="data.message | safe:'html'"></div>
+</ng-template>
 <div mat-dialog-actions fxLayoutAlign="end center">
  <button mat-button color="primary" [mat-dialog-close]="true" cdkFocusInitial>{{data.ok}}</button>
 </div>
--- a/ui-ngx/src/app/shared/components/dialog/alert-dialog.component.ts
+++ b/ui-ngx/src/app/shared/components/dialog/alert-dialog.component.ts
@ -21,6 +21,7 @@ export interface AlertDialogData {
  title: string;
  message: string;
  ok: string;
+  textMode?: boolean;
 }

@Component({