chore: merge cds-core tools to clr-angular (WIP) #1515

Jinnie · 2024-08-09T10:46:49Z

PR Checklist

Please check if your PR fulfills the following requirements:

Tests for the changes have been added (for bug fixes / features)
Docs have been added / updated (for bug fixes / features)
If applicable, have a visual design approval

PR Type

What kind of change does this PR introduce?

What is the current behavior?

Issue Number: N/A

What is the new behavior?

Does this PR introduce a breaking change?

Yes
No

Other information

github-actions · 2024-08-09T10:47:04Z

👋 @idonchev-vmw,

😭 The build for this PR has failed
🗒 Please check the build log
🍿 In the meantime, explore it in StackBlitz
🖐 You can always follow up here. If you're a VMware employee, you can also reach us on our internal Clarity Support space

Thank you,

🤖 Clarity Release Bot

projects/angular/src/data/datagrid/datagrid-filter.spec.ts

package.json

projects/angular/src/layout/nav/nav-level.ts

Jinnie · 2024-08-13T08:26:35Z

projects/core/README.md

+
+## Quick Start Install
+
+1.  First, install the Clarity Core package from npm.


The info in this file is irrelevant now. It should either be updated, or the file deleted.

Jinnie

The content of /projects/core/build should be reviewed. Some storybook and website related tools exist, that are not relevant to the new location.

netlify · 2024-08-14T13:38:36Z

✅ Deploy Preview for clarity-date-range ready!

Name	Link
🔨 Latest commit	`8512188`
🔍 Latest deploy log	https://app.netlify.com/sites/clarity-date-range/deploys/66bcb348b8526500087923c3
😎 Deploy Preview	https://deploy-preview-1515--clarity-date-range.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

kevinbuhmann · 2024-08-14T16:12:30Z

package.json

    "@angular/platform-browser-dynamic": "15.2.2",
    "@angular/router": "15.2.2",
-    "@cds/core": "6.9.2",
+    "@cds/core": "file:dist/@cds/core",


I don't think this should be in package.json. I think it would be better to use path aliases in tsconfig.json so that you don't have to have core built before staring ng-clarity.

Another problem with this is that the cds-icon imports work in this project, but the icon component is not included in a published package. I think this needs to be restructured so that there is not a ./dist/@cds/core folder. It's not actually a dist folder anyway because it is not published. Instead, I think the styles/tokens should be in @clr/ui and the icon component should be in @clr/angular. Otherwise, there is no way for consumers of the published packages to use the things that used to be in @cds/core.

It's still one of the WIP parts. And your feedback is very valuable.
The idea is to either have a separate package (but not named @cds/core, maybe @clr/core or something else), or, as you say, move tokens to @clr/ui and the rest to @clr/angular (or a smaller core package).
The problem with moving them to the existing packages is that many of the consumable artefacts should still be built before we're able to import and use them.
As a next step we can explore the merging option, and if unsuccessful, fall back to a @clr/core or similar package.

projects/angular/src/layout/nav/nav-level.ts

projects/angular/src/utils/_mixins.scss

projects/core/build/build.tokens.ts

kevinbuhmann · 2024-08-14T16:25:41Z

package.json

    "@angular/router": "15.2.2",
-    "@cds/core": "6.9.2",
+    "@cds/core": "file:dist/@cds/core",
+    "@commitlint/cz-commitlint": "16.2.3",


This should be removed.

package.json

kevinbuhmann · 2024-08-14T16:30:59Z

projects/demo/src/styles.scss

+@import '../../../dist/@cds/core/styles/module.reset.min.css';
+@import '../../../dist/@cds/core/styles/module.tokens.min.css';
+@import '../../../dist/@cds/core/styles/module.layout.min.css';
+@import '../../../dist/@cds/core/styles/module.typography.min.css';
+@import '../../../dist/@cds/core/styles/theme.dark.min.css';


How are consumer supposed to import these files? I think we need to build these files into the @clr/ui directory so that they are included in a published package.

This will be handled once we make a choice and provide solution, as discussed in my reply to your first comment above.

For now, changing the import to be through @cds/core/styles/....., so we don't rely on direct relative paths and dist.

github-actions · 2024-09-03T13:08:12Z

This PR introduces visual changes: 57a4d47
If these changes are intended and correct, please cherry-pick the above commit to this PR.

git checkout jinnie/cds-core-to-clr
git fetch https://github.com/vmware-clarity/ng-clarity.git 57a4d47d365107e79dc9b4664c25ae9fe5d73d83
git cherry-pick 57a4d47d365107e79dc9b4664c25ae9fe5d73d83
git push

github-actions · 2024-09-04T10:38:32Z

This PR introduces visual changes: 8cb1534
If these changes are intended and correct, please cherry-pick the above commit to this PR.

git checkout jinnie/cds-core-to-clr
git fetch https://github.com/vmware-clarity/ng-clarity.git 8cb1534c782ef0b7b015c761818d31dda573bcfc
git cherry-pick 8cb1534c782ef0b7b015c761818d31dda573bcfc
git push

projects/core/src/internal/utils/string.ts

+  const interpolatedString = template.replace(/\$\{.+?\}/g, match => {
+    const path = match.substr(2, match.length - 3).trim();
+    const value = getFromObjectPath(path, dataObj, fallback);
+    return value;
+  });


projects/core/src/styles/tokens/tokens.stories.ts

+    ? sheet.cssRules[0].cssText
+        .replace(`${themeSelector} {`, '')
+        .replace('}', '')


To fix the problem, we should replace the .replace(string, replacement) calls on lines 131 and 132 with versions that use a global regular expression so that all occurrences are replaced, not just the first. Specifically: Replace .replace(${themeSelector} {, '') with .replace(new RegExp(${escapeRegExp(themeSelector)}\s*{, 'g'), '') and .replace('}', '') with .replace(/}/g, ''), using an escapeRegExp utility function to ensure that themeSelector is safely embedded in the regex. We'll need to add an escapeRegExp helper to handle user-controlled regex input properly. All fixes are confined to projects/core/src/styles/tokens/tokens.stories.ts.

projects/core/src/styles/themes/themes.stories.ts

+    document.querySelector<HTMLElement>('.scale-typography-label').innerHTML = `--cds-global-scale-typography: ${
+      dynamicTokens['--cds-global-scale-typography']
+    } (${(event.target as HTMLInputElement).value}%)`;


The proper fix is to avoid assigning any user-generated or user-modifiable data directly to .innerHTML unless it’s been carefully encoded or sanitized. Since the content being set is just a text label, .textContent should be used instead of .innerHTML. This will ensure that any special characters are treated as plain text and not interpreted as HTML, closing the XSS avenue. The same string construction can be retained, but it should be assigned to .textContent. The fix should be applied to lines 220-221, and similar assignments elsewhere (see lines 228-229, 236-237).

No imports or additional dependencies are needed for this change.

projects/core/src/styles/themes/themes.stories.ts

+    document.querySelector<HTMLElement>('.density-label').innerHTML = `--cds-global-scale-layout-space: ${
+      dynamicTokens['--cds-global-scale-layout-space']
+    } (${(event.target as HTMLInputElement).value}%)`;


To fix this DOM text reinterpreted as HTML vulnerability, the data from the input must not be inserted into the DOM using innerHTML unless it is properly escaped or, ideally, not treated as HTML at all. In this specific scenario, since the label update is purely textual and does not need HTML features, use textContent instead of innerHTML when updating the content of the .density-label element. This prevents any interpreted HTML and thus XSS, regardless of the contents of (event.target as HTMLInputElement).value.

Update document.querySelector<HTMLElement>('.density-label').innerHTML = ... to use .textContent instead. No imports or additional dependencies are needed. This change should be applied only where applicable—in this case, in the updateDensity function (lines 226-232).

projects/core/src/styles/themes/themes.stories.ts

+    document.querySelector<HTMLElement>('.scale-label').innerHTML = `--cds-global-scale-space: ${
+      dynamicTokens['--cds-global-scale-space']
+    } (${(event.target as HTMLInputElement).value}%)`;


To fix the problem, we should avoid assigning untrusted input directly to innerHTML. Instead, use textContent to safely insert user-controlled values into the DOM, thereby preventing any input from being interpreted as HTML. Here's what to do:

In all functions that currently assign to .innerHTML via interpolated strings using user input, switch assignments to .textContent instead.

Change any string formatting to build the appropriate text line (fully escaped) and set .textContent = ... on the appropriate elements ([lines 220, 228, and 236 in code shown]).

No changes to imports or external dependencies are necessary.

vmwclabot added the cla-not-required label Aug 9, 2024

kevinbuhmann assigned Jinnie Aug 12, 2024

Jinnie commented Aug 12, 2024

View reviewed changes

projects/angular/src/data/datagrid/datagrid-filter.spec.ts Outdated Show resolved Hide resolved

Jinnie commented Aug 13, 2024

View reviewed changes

package.json Show resolved Hide resolved

Jinnie commented Aug 13, 2024

View reviewed changes

projects/angular/src/layout/nav/nav-level.ts Outdated Show resolved Hide resolved

Jinnie commented Aug 13, 2024

View reviewed changes