Merged in task/dspace-cris-2023_02_x/DSC-2609 (pull request DSpace#3894)

[DSC-2609] sanitize schema for structured data

Approved-by: Giuseppe Digilio

Author: FrancescoMolinaro

src/app/core/metadata/schema-json-ld/schema-json-ld.service.ts

@@ -1,17 +1,21 @@
 import { Inject, Injectable } from '@angular/core';
 import { DOCUMENT } from '@angular/common';
+import { DomSanitizer } from '@angular/platform-browser';
 
 import { Item } from '../../shared/item.model';
 import { getSchemaJsonLDProviderByEntity, getSchemaJsonLDProviderByType } from './schema-types/schema-type-decorator';
 import { GenericConstructor } from '../../shared/generic-constructor';
 import { SchemaType } from './schema-types/schema-type';
 import { isEmpty, isNotEmpty } from '../../../shared/empty.util';
 
-@Injectable()
+@Injectable({ providedIn: 'root' })
 export class SchemaJsonLDService {
   static scriptType = 'application/ld+json';
 
-  constructor(@Inject(DOCUMENT) private _document: Document) {}
+  constructor(
+    @Inject(DOCUMENT) private _document: Document,
+    protected sanitizer: DomSanitizer,
+  ) {}
 
   removeStructuredData(): void {
     const els = [];
@@ -57,7 +61,7 @@ export class SchemaJsonLDService {
     }
 
     if (isNotEmpty(constructor)) {
-      const provider: SchemaType = new constructor();
+      const provider: SchemaType = new constructor(this.sanitizer);
       return provider.getSchema(item);
     } else {
       return null;

src/app/core/metadata/schema-json-ld/schema-types/schema-type.ts

@@ -1,9 +1,13 @@
+import { SecurityContext } from '@angular/core';
+import { DomSanitizer } from '@angular/platform-browser';
 import isObject from 'lodash/isObject';
 
 import { Item } from '../../../shared/item.model';
 import { isNotEmpty } from '../../../../shared/empty.util';
 
 export abstract class SchemaType {
+  constructor(protected sanitizer: DomSanitizer) {}
+
   protected abstract createSchema(item: Item): Record<string, any>;
   protected abstract createSchema(item: Item): Record<string, any>;
 
@@ -31,7 +35,36 @@ export abstract class SchemaType {
     }
   }
 
+  protected sanitizeSchema(obj: any):  Record<string, any> {
+    if (Array.isArray(obj)) {
+      return obj.map(v =>
+        typeof v === 'string'
+          ? this.sanitizer.sanitize(SecurityContext.HTML, v)
+          : this.sanitizeSchema(v),
+      );
+    }
+
+    if (typeof obj === 'object' && obj !== null) {
+      const sanitized: Record<string, any> = {};
+      for (const key in obj) {
+        if (obj.hasOwnProperty(key)) {
+          const value = obj[key];
+          sanitized[key] =
+            typeof value === 'string'
+              ? this.sanitizer.sanitize(SecurityContext.HTML, value)
+              : this.sanitizeSchema(value);
+        }
+      }
+      return sanitized;
+    }
+
+    return obj;
+  }
+
+
   getSchema(item: Item): Record<string, any> {
     return SchemaType.removeEmpty(this.createSchema(item));
+    const sanitizedRaw = this.sanitizeSchema(this.createSchema(item));
+    return SchemaType.removeEmpty(sanitizedRaw);
   }
 }