From 33df79cd12d5fa6b45e8da3247554f656494c468 Mon Sep 17 00:00:00 2001
From: dashevchenko <dshevchenko@thingsboard.io>
Date: Wed, 13 Aug 2025 11:19:16 +0300
Subject: [PATCH] added sanitize for widget action name on delete

---
 .../widget/action/manage-widget-actions.component.ts      | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ui-ngx/src/app/modules/home/components/widget/action/manage-widget-actions.component.ts b/ui-ngx/src/app/modules/home/components/widget/action/manage-widget-actions.component.ts
index a9b9d207d0..01404f7c6e 100644
--- a/ui-ngx/src/app/modules/home/components/widget/action/manage-widget-actions.component.ts
+++ b/ui-ngx/src/app/modules/home/components/widget/action/manage-widget-actions.component.ts
@@ -24,6 +24,7 @@ import {
   NgZone,
   OnDestroy,
   OnInit,
+  SecurityContext,
   ViewChild
 } from '@angular/core';
 import { ControlValueAccessor, NG_VALUE_ACCESSOR } from '@angular/forms';
@@ -53,6 +54,7 @@ import {
 import { deepClone } from '@core/utils';
 import { hidePageSizePixelValue } from '@shared/models/constants';
 import { CdkDragDrop, moveItemInArray } from '@angular/cdk/drag-drop';
+import { DomSanitizer } from '@angular/platform-browser';
 
 @Component({
   selector: 'tb-manage-widget-actions',
@@ -106,7 +108,8 @@ export class ManageWidgetActionsComponent extends PageComponent implements OnIni
               private dialogs: DialogService,
               private cd: ChangeDetectorRef,
               private elementRef: ElementRef,
-              private zone: NgZone) {
+              private zone: NgZone,
+              private sanitizer: DomSanitizer) {
     super();
     const sortOrder: SortOrder = { property: 'actionSourceName', direction: Direction.ASC };
     this.pageLink = new PageLink(10, 0, null, sortOrder);
@@ -289,7 +292,8 @@ export class ManageWidgetActionsComponent extends PageComponent implements OnIni
     }
     const title = this.translate.instant('widget-config.delete-action-title');
     const content = this.translate.instant('widget-config.delete-action-text', {actionName: action.name});
-    this.dialogs.confirm(title, content,
+    const safeContent = this.sanitizer.sanitize(SecurityContext.HTML, content);
+    this.dialogs.confirm(title, safeContent,
       this.translate.instant('action.no'),
       this.translate.instant('action.yes'), true).subscribe(
       (res) => {