Revert "fix: fix unsanitized untrusted input v2" (#20129)

Author: rmch91

Diff for: feature-libs/product-configurator/package.json

@@ -29,7 +29,6 @@
     "@angular/common": "^19.1.8",
     "@angular/core": "^19.1.8",
     "@angular/forms": "^19.1.8",
-    "@angular/platform-browser": "^19.1.8",
     "@angular/router": "^19.1.8",
     "@ng-select/ng-select": "^14.1.0",
     "@ngrx/effects": "^19.0.1",

Diff for: feature-libs/product-configurator/rulebased/components/attribute/types/numeric-input-field/configurator-attribute-numeric-input-field.component.service.ts

@@ -208,12 +208,12 @@ export class ConfiguratorAttributeNumericInputFieldService {
     interval.maxValueIncluded = true;
     if (minVal.includes('>')) {
       interval.minValueIncluded = false;
-      minVal = minVal.replace(/>/g, '');
+      minVal = minVal.replace('>', '');
     }
 
     if (maxVal.includes('<')) {
       interval.maxValueIncluded = false;
-      maxVal = maxVal.replace(/</g, '');
+      maxVal = maxVal.replace('<', '');
     }
     return { minVal, maxVal };
   }

Diff for: feature-libs/product-configurator/rulebased/components/show-more/configurator-show-more.component.spec.ts

@@ -3,22 +3,16 @@ import { ComponentFixture, TestBed, waitForAsync } from '@angular/core/testing';
 import { I18nTestingModule } from '@spartacus/core';
 import { CommonConfiguratorTestUtilsService } from '../../../common/testing/common-configurator-test-utils.service';
 import { ConfiguratorShowMoreComponent } from './configurator-show-more.component';
-import { DomSanitizer } from '@angular/platform-browser';
 
 describe('ConfiguratorShowMoreComponent', () => {
   let component: ConfiguratorShowMoreComponent;
   let fixture: ComponentFixture<ConfiguratorShowMoreComponent>;
   let htmlElem: HTMLElement;
-  let sanitizerSpy: jasmine.SpyObj<DomSanitizer>;
 
   beforeEach(waitForAsync(() => {
-    sanitizerSpy = jasmine.createSpyObj<DomSanitizer>('DomSanitizer', [
-      'bypassSecurityTrustHtml',
-    ]);
     TestBed.configureTestingModule({
       imports: [I18nTestingModule],
       declarations: [ConfiguratorShowMoreComponent],
-      providers: [{ provide: DomSanitizer, useValue: sanitizerSpy }],
     })
       .overrideComponent(ConfiguratorShowMoreComponent, {
         set: {
@@ -41,59 +35,79 @@ describe('ConfiguratorShowMoreComponent', () => {
     expect(component).toBeTruthy();
   });
 
-  it('should render component', async () => {
+  it('should render component', () => {
     fixture.detectChanges();
-    await fixture.whenStable();
     CommonConfiguratorTestUtilsService.expectElementPresent(
       expect,
       htmlElem,
       'span'
     );
-  });
-
-  it('should remove HTML tags from input text', () => {
-    sanitizerSpy.bypassSecurityTrustHtml.and.returnValue(
-      'Sanitized Text' as any
-    ); // Fake SafeHtml
-    const result = component.normalize('<b>Sanitized Text</b>');
-    expect(sanitizerSpy.bypassSecurityTrustHtml).toHaveBeenCalledWith(
-      '<b>Sanitized Text</b>'
+    CommonConfiguratorTestUtilsService.expectElementPresent(
+      expect,
+      htmlElem,
+      'button'
     );
-    expect(result).toEqual('Sanitized Text');
   });
 
-  it('should return an empty string when input is null', () => {
-    sanitizerSpy.bypassSecurityTrustHtml.and.returnValue(null);
-    const result = component.normalize(null as unknown as string);
-    expect(result).toEqual('');
+  it('should set showMore after view init', () => {
+    component.ngAfterViewInit();
+    fixture.detectChanges();
+    expect(component.showMore).toBe(true);
+    expect(component.textToShow).toBe(component.text.substring(0, 60));
   });
 
-  it('should return an empty string when input is undefined', () => {
-    sanitizerSpy.bypassSecurityTrustHtml.and.returnValue(undefined);
-    const result = component.normalize(undefined as unknown as string);
-    expect(result).toEqual('');
-  });
+  it('should not set showMore after view init', () => {
+    component.text = 'short text';
 
-  it('should return the same text if there are no HTML elements', () => {
-    sanitizerSpy.bypassSecurityTrustHtml.and.returnValue('Plain Text' as any);
-    const result = component.normalize('Plain Text');
-    expect(result).toEqual('Plain Text');
+    component.ngAfterViewInit();
+    fixture.detectChanges();
+    CommonConfiguratorTestUtilsService.expectElementNotPresent(
+      expect,
+      htmlElem,
+      'button'
+    );
+    expect(component.showMore).toBe(false);
+    expect(component.textToShow).toBe(component.text);
   });
 
-  it('should remove script tags to prevent XSS', () => {
-    sanitizerSpy.bypassSecurityTrustHtml.and.returnValue('Safe Content' as any);
-    const result = component.normalize(
-      '<script>alert("XSS")</script>Safe Content'
-    );
-    expect(result).toEqual('Safe Content');
+  it('should set showHiddenText after toggleShowMore action', () => {
+    fixture.detectChanges();
+    component.ngAfterViewInit();
+    component.toggleShowMore();
+    fixture.detectChanges();
+    expect(component.showHiddenText).toBe(true);
+    expect(component.textToShow).toBe(component.text);
   });
 
-  it('should handle special characters properly', () => {
-    sanitizerSpy.bypassSecurityTrustHtml.and.returnValue(
-      'Text & Special Chars ©' as any
-    );
-    const result = component.normalize('Text & Special Chars ©');
-    expect(result).toEqual('Text & Special Chars ©');
+  describe('Sanitization of suspicious input', () => {
+    const suspiciousTextWithFormatting =
+      '<h1>Digital camera</h1> is a great product <p> <script';
+    const suspiciousTextWithoutFormatting =
+      'Digital camera is a great product  <script';
+    const sanitizedText = 'Digital camera is a great product';
+
+    it('does not happen through method normalize because that is meant for removing HTML tags for better readibility', () => {
+      component.text = suspiciousTextWithFormatting;
+      component.ngAfterViewInit();
+      fixture.detectChanges();
+      expect(component.textNormalized).toBe(suspiciousTextWithoutFormatting);
+      expect(component['normalize'](suspiciousTextWithFormatting)).toBe(
+        suspiciousTextWithoutFormatting
+      );
+    });
+
+    it('should happen on view', () => {
+      component.text = suspiciousTextWithFormatting;
+      component.ngAfterViewInit();
+      fixture.detectChanges();
+
+      CommonConfiguratorTestUtilsService.expectElementToContainText(
+        expect,
+        htmlElem,
+        'span',
+        sanitizedText
+      );
+    });
   });
 
   describe('Accessibility', () => {

Diff for: feature-libs/product-configurator/rulebased/components/show-more/configurator-show-more.component.ts

@@ -9,10 +9,8 @@ import {
   ChangeDetectionStrategy,
   ChangeDetectorRef,
   Component,
-  inject,
   Input,
 } from '@angular/core';
-import { DomSanitizer } from '@angular/platform-browser';
 
 @Component({
   selector: 'cx-configurator-show-more',
@@ -26,8 +24,6 @@ export class ConfiguratorShowMoreComponent implements AfterViewInit {
   textToShow: string;
   textNormalized: string;
 
-  sanitizer = inject(DomSanitizer);
-
   @Input() text: string;
   @Input() textSize = 60;
   @Input() productName: string;
@@ -57,8 +53,7 @@ export class ConfiguratorShowMoreComponent implements AfterViewInit {
     this.cdRef.detectChanges();
   }
 
-  normalize(text: string = ''): string {
-    const safeHtml = this.sanitizer.bypassSecurityTrustHtml(text);
-    return safeHtml ? safeHtml.toString().replace(/<[^>]*>/g, '') : '';
+  protected normalize(text: string = ''): string {
+    return text.replace(/<[^>]*>/g, '');
   }
 }

Diff for: projects/core/src/occ/adapters/product/converters/product-name-normalizer.spec.ts

@@ -1,7 +1,8 @@
 import { inject, TestBed } from '@angular/core/testing';
+import { Product } from '../../../../model/product.model';
 import { OccConfig } from '../../../config/occ-config';
+import { Occ } from '../../../occ-models/occ.models';
 import { ProductNameNormalizer } from './product-name-normalizer';
-import { DomSanitizer } from '@angular/platform-browser';
 
 const MockOccModuleConfig: OccConfig = {
   backend: {
@@ -17,17 +18,24 @@ const MockOccModuleConfig: OccConfig = {
 
 describe('ProductNameNormalizer', () => {
   let service: ProductNameNormalizer;
-  let sanitizerSpy: jasmine.SpyObj<DomSanitizer>;
+
+  const product: Occ.Product = {
+    name: '<div>Product1</div>',
+    code: 'testCode',
+  };
+
+  const convertedProduct: Product = {
+    name: 'Product1',
+    nameHtml: '<div>Product1</div>',
+    code: 'testCode',
+    slug: 'product1',
+  };
 
   beforeEach(() => {
-    sanitizerSpy = jasmine.createSpyObj<DomSanitizer>('DomSanitizer', [
-      'bypassSecurityTrustHtml',
-    ]);
     TestBed.configureTestingModule({
       providers: [
         ProductNameNormalizer,
         { provide: OccConfig, useValue: MockOccModuleConfig },
-        { provide: DomSanitizer, useValue: sanitizerSpy },
       ],
     });
 
@@ -41,35 +49,34 @@ describe('ProductNameNormalizer', () => {
     }
   ));
 
-  it('should sanitize the name', () => {
-    sanitizerSpy.bypassSecurityTrustHtml.and.returnValue('Sanitized Name');
-
-    const result = service.convert({
-      name: '<script>alert("XSS")</script>Product',
-    });
-
-    expect(sanitizerSpy.bypassSecurityTrustHtml).toHaveBeenCalledWith(
-      '<script>alert("XSS")</script>Product'
-    );
-    expect(result.name).toEqual('Sanitized Name');
+  it('should convert product name', () => {
+    const result = service.convert(product);
+    expect(result).toEqual(convertedProduct);
   });
 
-  it('should sanitize the name', () => {
-    sanitizerSpy.bypassSecurityTrustHtml.and.returnValue('Sanitized Name');
-
-    const result = service.convert({ name: '<b>Unsafe Name</b>' });
+  describe('slug', () => {
+    const reservedChars = ` !*'();:@&=+$,/?%#[]`;
 
-    expect(sanitizerSpy.bypassSecurityTrustHtml).toHaveBeenCalledWith(
-      '<b>Unsafe Name</b>'
-    );
-    expect(result.name).toEqual('Sanitized Name'); // Ensure sanitized name is returned
-  });
-
-  it('should handle empty names', () => {
-    sanitizerSpy.bypassSecurityTrustHtml.and.returnValue('');
+    // try all chars separately
+    reservedChars.split('').forEach((char) => {
+      it(`should replace "${char}"`, () => {
+        const result = service.convert({
+          name: `a product with ${char} included`,
+        });
+        expect(result.slug).toEqual('a-product-with-included');
+      });
+    });
 
-    const result = service.convert({ name: '' });
+    it(`should replace multiple occasions of the slug char (-)`, () => {
+      const result = service.convert({
+        name: ` a product with multiple --- symbols `,
+      });
+      expect(result.slug).toEqual('a-product-with-multiple-symbols');
+    });
 
-    expect(result.name).toEqual('');
+    it('should not alter the original name', () => {
+      const result = service.convert({ name: 'my product title' });
+      expect(result.name).toEqual('my product title');
+    });
   });
 });

Diff for: projects/core/src/occ/adapters/product/converters/product-name-normalizer.ts

@@ -4,17 +4,14 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { inject, Injectable } from '@angular/core';
+import { Injectable } from '@angular/core';
 import { Product } from '../../../../model/product.model';
 import { Converter } from '../../../../util/converter.service';
 import { OccConfig } from '../../../config/occ-config';
 import { Occ } from '../../../occ-models/occ.models';
-import { DomSanitizer } from '@angular/platform-browser';
 
 @Injectable({ providedIn: 'root' })
 export class ProductNameNormalizer implements Converter<Occ.Product, Product> {
-  sanitizer = inject(DomSanitizer);
-
   constructor(protected config: OccConfig) {}
 
   convert(source: Occ.Product, target?: Product): Product {
@@ -32,10 +29,7 @@ export class ProductNameNormalizer implements Converter<Occ.Product, Product> {
    * Sanitizes the name so that the name doesn't contain html elements.
    */
   protected normalize(name: string): string {
-    return (
-      this.sanitizer.bypassSecurityTrustHtml(name).toString() ||
-      ''.replace(/<[^>]*>/g, '')
-    );
+    return name.replace(/<[^>]*>/g, '');
   }
 
   /**

Diff for: projects/schematics/src/dependencies.json

@@ -216,7 +216,6 @@
     "@angular/common": "^19.1.8",
     "@angular/core": "^19.1.8",
     "@angular/forms": "^19.1.8",
-    "@angular/platform-browser": "^19.1.8",
     "@angular/router": "^19.1.8",
     "@ng-select/ng-select": "^14.1.0",
     "@ngrx/effects": "^19.0.1",

Diff for: scripts/i18n/convert-translations-json-2-ts.ts

@@ -145,10 +145,10 @@ function handleExistingJsonFile(
 function stringify(obj: any, indent: string = ''): string {
   if (typeof obj === 'string') {
     if (obj.includes('\n')) {
-      return '`' + obj.replace(/\\/g, '\\\\').replace(/`/g, '\\`') + '`';
+      return '`' + obj.replace(/`/g, '\\`') + '`';
     }
     if (obj.includes("'")) {
-      return `"${obj.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`;
+      return `"${obj.replace(/"/g, '\\"')}"`;
     }
     return `'${obj}'`;
   } else if (typeof obj !== 'object' || obj === null) {