From 0ebe320421a225f507b0a60852ed0dc29e88ca79 Mon Sep 17 00:00:00 2001
From: Vladyslav_Prykhodko <vprykhodko@thingsboard.io>
Date: Wed, 25 Oct 2023 11:44:06 +0300
Subject: [PATCH] UI: Fixed reflected html injection via login error

---
 ui-ngx/src/app/core/auth/auth.service.ts                   | 3 ++-
 .../shared/components/dialog/alert-dialog.component.html   | 7 ++++++-
 .../app/shared/components/dialog/alert-dialog.component.ts | 1 +
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ui-ngx/src/app/core/auth/auth.service.ts b/ui-ngx/src/app/core/auth/auth.service.ts
index f4777aae29..875cef30d1 100644
--- a/ui-ngx/src/app/core/auth/auth.service.ts
+++ b/ui-ngx/src/app/core/auth/auth.service.ts
@@ -370,7 +370,8 @@ export class AuthService {
           data: {
             title: translations['login.error'],
             message: loginError,
-            ok: translations['action.close']
+            ok: translations['action.close'],
+            textMode: true
           }
         };
         this.dialog.open(AlertDialogComponent, dialogConfig);
diff --git a/ui-ngx/src/app/shared/components/dialog/alert-dialog.component.html b/ui-ngx/src/app/shared/components/dialog/alert-dialog.component.html
index de56079efd..fb0c93b491 100644
--- a/ui-ngx/src/app/shared/components/dialog/alert-dialog.component.html
+++ b/ui-ngx/src/app/shared/components/dialog/alert-dialog.component.html
@@ -16,7 +16,12 @@
 
 -->
 <h2 mat-dialog-title>{{data.title}}</h2>
-<div mat-dialog-content [innerHTML]="data.message | safe:'html'"></div>
+<ng-container *ngIf="data.textMode; else htmlMode">
+  <div mat-dialog-content [innerText]="data.message"></div>
+</ng-container>
+<ng-template #htmlMode>
+  <div mat-dialog-content [innerHTML]="data.message | safe:'html'"></div>
+</ng-template>
 <div mat-dialog-actions fxLayoutAlign="end center">
   <button mat-button color="primary" [mat-dialog-close]="true" cdkFocusInitial>{{data.ok}}</button>
 </div>
diff --git a/ui-ngx/src/app/shared/components/dialog/alert-dialog.component.ts b/ui-ngx/src/app/shared/components/dialog/alert-dialog.component.ts
index c29d66b1cc..c7c26bc7a2 100644
--- a/ui-ngx/src/app/shared/components/dialog/alert-dialog.component.ts
+++ b/ui-ngx/src/app/shared/components/dialog/alert-dialog.component.ts
@@ -21,6 +21,7 @@ export interface AlertDialogData {
   title: string;
   message: string;
   ok: string;
+  textMode?: boolean;
 }
 
 @Component({