Merge pull request #14050 from dashevchenko/noXssEnhancement2

NoXss validation enhancements

common/data/src/main/java/org/thingsboard/server/common/data/mobile/bundle/MobileAppBundle.java

@@ -30,6 +30,7 @@ import org.thingsboard.server.common.data.id.MobileAppId;
 import org.thingsboard.server.common.data.id.TenantId;
 import org.thingsboard.server.common.data.mobile.layout.MobileLayoutConfig;
 import org.thingsboard.server.common.data.validation.Length;
+import org.thingsboard.server.common.data.validation.NoXss;
 
 @EqualsAndHashCode(callSuper = true)
 @Data
@@ -40,9 +41,11 @@ public class MobileAppBundle extends BaseData<MobileAppBundleId> implements HasT
     private TenantId tenantId;
     @Schema(description = "Application bundle title. Cannot be empty", requiredMode = Schema.RequiredMode.REQUIRED)
     @NotBlank
+    @NoXss
     @Length(fieldName = "title")
     private String title;
     @Schema(description = "Application bundle description.")
+    @NoXss
     @Length(fieldName = "description")
     private String description;
     @Schema(description = "Android application id")

common/data/src/main/java/org/thingsboard/server/common/data/notification/rule/NotificationRule.java

@@ -62,6 +62,7 @@ public class NotificationRule extends BaseData<NotificationRuleId> implements Ha
     @Valid
     private NotificationRuleRecipientsConfig recipientsConfig;
 
+    @Valid
     private NotificationRuleConfig additionalConfig;
 
     private NotificationRuleId externalId;

common/data/src/main/java/org/thingsboard/server/common/data/notification/rule/NotificationRuleConfig.java

@@ -16,12 +16,14 @@
 package org.thingsboard.server.common.data.notification.rule;
 
 import lombok.Data;
+import org.thingsboard.server.common.data.validation.NoXss;
 
 import java.io.Serializable;
 
 @Data
 public class NotificationRuleConfig implements Serializable {
 
+    @NoXss
     private String description;
 
 }

ui-ngx/src/app/modules/home/components/widget/action/manage-widget-actions.component.ts

@@ -24,6 +24,7 @@ import {
   NgZone,
   OnDestroy,
   OnInit,
+  SecurityContext,
   ViewChild
 } from '@angular/core';
 import { ControlValueAccessor, NG_VALUE_ACCESSOR } from '@angular/forms';
@@ -53,6 +54,7 @@ import {
 import { deepClone } from '@core/utils';
 import { hidePageSizePixelValue } from '@shared/models/constants';
 import { CdkDragDrop, moveItemInArray } from '@angular/cdk/drag-drop';
+import { DomSanitizer } from '@angular/platform-browser';
 
 @Component({
   selector: 'tb-manage-widget-actions',
@@ -106,7 +108,8 @@ export class ManageWidgetActionsComponent extends PageComponent implements OnIni
               private dialogs: DialogService,
               private cd: ChangeDetectorRef,
               private elementRef: ElementRef,
-              private zone: NgZone) {
+              private zone: NgZone,
+              private sanitizer: DomSanitizer) {
     super();
     const sortOrder: SortOrder = { property: 'actionSourceName', direction: Direction.ASC };
     this.pageLink = new PageLink(10, 0, null, sortOrder);
@@ -289,7 +292,8 @@ export class ManageWidgetActionsComponent extends PageComponent implements OnIni
     }
     const title = this.translate.instant('widget-config.delete-action-title');
     const content = this.translate.instant('widget-config.delete-action-text', {actionName: action.name});
-    this.dialogs.confirm(title, content,
+    const safeContent = this.sanitizer.sanitize(SecurityContext.HTML, content);
+    this.dialogs.confirm(title, safeContent,
       this.translate.instant('action.no'),
       this.translate.instant('action.yes'), true).subscribe(
       (res) => {