[Port dspace-8_x] Escape html tags in innerHTML #4737 (#4882)

* Refactored code to pass down whether they are injected in the code through an innerHTML attribute or not to properly escape them

* 134319: Renamed injectedAsHTML to escapeHTML

* 134380: added escapeMetadataHTML as an input on ThemedItemDetailPreviewFieldComponent

* 134380: fixed abstract and date field not being escaped

* 134380: reverted unrelated change

---------

Co-authored-by: Alexandre Vryghem <[email protected]>

Author: bram-maegerman

src/app/collection-page/collection-item-mapper/collection-item-mapper.component.ts

@@ -161,7 +161,7 @@ export class CollectionItemMapperComponent implements OnInit {
 
     this.collectionName$ = this.collectionRD$.pipe(
       map((rd: RemoteData<Collection>) => {
-        return this.dsoNameService.getName(rd.payload);
+        return this.dsoNameService.getName(rd.payload, true);
       }),
     );
     this.searchOptions$ = this.searchConfigService.paginatedSearchOptions;

src/app/core/breadcrumbs/dso-name.service.spec.ts

@@ -78,7 +78,7 @@ describe(`DSONameService`, () => {
 
       const result = service.getName(mockPerson);
 
-      expect((service as any).factories.Person).toHaveBeenCalledWith(mockPerson);
+      expect((service as any).factories.Person).toHaveBeenCalledWith(mockPerson, undefined);
       expect(result).toBe('Bingo!');
     });
 
@@ -87,7 +87,7 @@ describe(`DSONameService`, () => {
 
       const result = service.getName(mockOrgUnit);
 
-      expect((service as any).factories.OrgUnit).toHaveBeenCalledWith(mockOrgUnit);
+      expect((service as any).factories.OrgUnit).toHaveBeenCalledWith(mockOrgUnit, undefined);
       expect(result).toBe('Bingo!');
     });
 
@@ -96,7 +96,7 @@ describe(`DSONameService`, () => {
 
       const result = service.getName(mockEPerson);
 
-      expect((service as any).factories.EPerson).toHaveBeenCalledWith(mockEPerson);
+      expect((service as any).factories.EPerson).toHaveBeenCalledWith(mockEPerson, undefined);
       expect(result).toBe('Bingo!');
     });
 
@@ -105,7 +105,7 @@ describe(`DSONameService`, () => {
 
       const result = service.getName(mockDSO);
 
-      expect((service as any).factories.Default).toHaveBeenCalledWith(mockDSO);
+      expect((service as any).factories.Default).toHaveBeenCalledWith(mockDSO, undefined);
       expect(result).toBe('Bingo!');
     });
   });
@@ -119,9 +119,9 @@ describe(`DSONameService`, () => {
       it(`should return 'person.familyName, person.givenName'`, () => {
         const result = (service as any).factories.Person(mockPerson);
         expect(result).toBe(mockPersonName);
-        expect(mockPerson.firstMetadataValue).toHaveBeenCalledWith('person.familyName');
-        expect(mockPerson.firstMetadataValue).toHaveBeenCalledWith('person.givenName');
-        expect(mockPerson.firstMetadataValue).not.toHaveBeenCalledWith('dc.title');
+        expect(mockPerson.firstMetadataValue).toHaveBeenCalledWith('person.familyName', undefined, undefined);
+        expect(mockPerson.firstMetadataValue).toHaveBeenCalledWith('person.givenName', undefined, undefined);
+        expect(mockPerson.firstMetadataValue).not.toHaveBeenCalledWith('dc.title', undefined, undefined);
       });
     });
 
@@ -133,9 +133,9 @@ describe(`DSONameService`, () => {
       it(`should return dc.title`, () => {
         const result = (service as any).factories.Person(mockPerson);
         expect(result).toBe(mockPersonName);
-        expect(mockPerson.firstMetadataValue).toHaveBeenCalledWith('person.familyName');
-        expect(mockPerson.firstMetadataValue).toHaveBeenCalledWith('person.givenName');
-        expect(mockPerson.firstMetadataValue).toHaveBeenCalledWith('dc.title');
+        expect(mockPerson.firstMetadataValue).toHaveBeenCalledWith('person.familyName', undefined, undefined);
+        expect(mockPerson.firstMetadataValue).toHaveBeenCalledWith('person.givenName', undefined, undefined);
+        expect(mockPerson.firstMetadataValue).toHaveBeenCalledWith('dc.title', undefined, undefined);
       });
     });
   });
@@ -149,8 +149,8 @@ describe(`DSONameService`, () => {
       it(`should return 'eperson.firstname' and 'eperson.lastname'`, () => {
         const result = (service as any).factories.EPerson(mockEPerson);
         expect(result).toBe(mockEPersonName);
-        expect(mockEPerson.firstMetadataValue).toHaveBeenCalledWith('eperson.firstname');
-        expect(mockEPerson.firstMetadataValue).toHaveBeenCalledWith('eperson.lastname');
+        expect(mockEPerson.firstMetadataValue).toHaveBeenCalledWith('eperson.firstname', undefined, undefined);
+        expect(mockEPerson.firstMetadataValue).toHaveBeenCalledWith('eperson.lastname', undefined, undefined);
       });
     });
 
@@ -162,8 +162,8 @@ describe(`DSONameService`, () => {
       it(`should return 'eperson.firstname'`, () => {
         const result = (service as any).factories.EPerson(mockEPersonFirst);
         expect(result).toBe(mockEPersonNameFirst);
-        expect(mockEPersonFirst.firstMetadataValue).toHaveBeenCalledWith('eperson.firstname');
-        expect(mockEPersonFirst.firstMetadataValue).toHaveBeenCalledWith('eperson.lastname');
+        expect(mockEPersonFirst.firstMetadataValue).toHaveBeenCalledWith('eperson.firstname', undefined, undefined);
+        expect(mockEPersonFirst.firstMetadataValue).toHaveBeenCalledWith('eperson.lastname', undefined, undefined);
       });
     });
   });
@@ -177,7 +177,7 @@ describe(`DSONameService`, () => {
     it(`should return 'organization.legalName'`, () => {
       const result = (service as any).factories.OrgUnit(mockOrgUnit);
       expect(result).toBe(mockOrgUnitName);
-      expect(mockOrgUnit.firstMetadataValue).toHaveBeenCalledWith('organization.legalName');
+      expect(mockOrgUnit.firstMetadataValue).toHaveBeenCalledWith('organization.legalName', undefined, undefined);
     });
   });
 
@@ -189,7 +189,7 @@ describe(`DSONameService`, () => {
     it(`should return 'dc.title'`, () => {
       const result = (service as any).factories.Default(mockDSO);
       expect(result).toBe(mockDSOName);
-      expect(mockDSO.firstMetadataValue).toHaveBeenCalledWith('dc.title');
+      expect(mockDSO.firstMetadataValue).toHaveBeenCalledWith('dc.title', undefined, undefined);
     });
   });
 });

src/app/core/breadcrumbs/dso-name.service.ts

@@ -31,9 +31,9 @@ export class DSONameService {
    * With only two exceptions those solutions seem overkill for now.
    */
   private readonly factories = {
-    EPerson: (dso: DSpaceObject): string => {
-      const firstName = dso.firstMetadataValue('eperson.firstname');
-      const lastName = dso.firstMetadataValue('eperson.lastname');
+    EPerson: (dso: DSpaceObject, escapeHTML?: boolean): string => {
+      const firstName = dso.firstMetadataValue('eperson.firstname', undefined, escapeHTML);
+      const lastName = dso.firstMetadataValue('eperson.lastname', undefined, escapeHTML);
       if (isEmpty(firstName) && isEmpty(lastName)) {
         return this.translateService.instant('dso.name.unnamed');
       } else if (isEmpty(firstName) || isEmpty(lastName)) {
@@ -42,32 +42,33 @@ export class DSONameService {
         return `${firstName} ${lastName}`;
       }
     },
-    Person: (dso: DSpaceObject): string => {
-      const familyName = dso.firstMetadataValue('person.familyName');
-      const givenName = dso.firstMetadataValue('person.givenName');
+    Person: (dso: DSpaceObject, escapeHTML?: boolean): string => {
+      const familyName = dso.firstMetadataValue('person.familyName', undefined, escapeHTML);
+      const givenName = dso.firstMetadataValue('person.givenName', undefined, escapeHTML);
       if (isEmpty(familyName) && isEmpty(givenName)) {
-        return dso.firstMetadataValue('dc.title') || this.translateService.instant('dso.name.unnamed');
+        return dso.firstMetadataValue('dc.title', undefined, escapeHTML) || this.translateService.instant('dso.name.unnamed');
       } else if (isEmpty(familyName) || isEmpty(givenName)) {
         return familyName || givenName;
       } else {
         return `${familyName}, ${givenName}`;
       }
     },
-    OrgUnit: (dso: DSpaceObject): string => {
-      return dso.firstMetadataValue('organization.legalName') || this.translateService.instant('dso.name.untitled');
+    OrgUnit: (dso: DSpaceObject, escapeHTML?: boolean): string => {
+      return dso.firstMetadataValue('organization.legalName', undefined, escapeHTML);
     },
-    Default: (dso: DSpaceObject): string => {
+    Default: (dso: DSpaceObject, escapeHTML?: boolean): string => {
       // If object doesn't have dc.title metadata use name property
-      return dso.firstMetadataValue('dc.title') || dso.name || this.translateService.instant('dso.name.untitled');
+      return dso.firstMetadataValue('dc.title', undefined, escapeHTML) || dso.name || this.translateService.instant('dso.name.untitled');
     },
   };
 
   /**
    * Get the name for the given {@link DSpaceObject}
    *
    * @param dso  The {@link DSpaceObject} you want a name for
+   * @param escapeHTML Whether the HTML is used inside a `[innerHTML]` attribute
    */
-  getName(dso: DSpaceObject | undefined): string {
+  getName(dso: DSpaceObject | undefined, escapeHTML?: boolean): string {
     if (dso) {
       const types = dso.getRenderTypes();
       const match = types
@@ -76,10 +77,10 @@ export class DSONameService {
 
       let name;
       if (hasValue(match)) {
-        name = this.factories[match](dso);
+        name = this.factories[match](dso, escapeHTML);
       }
       if (isEmpty(name)) {
-        name = this.factories.Default(dso);
+        name = this.factories.Default(dso, escapeHTML);
       }
       return name;
     } else {
@@ -92,27 +93,28 @@ export class DSONameService {
    *
    * @param object
    * @param dso
+   * @param escapeHTML Whether the HTML is used inside a `[innerHTML]` attribute
    *
    * @returns {string} html embedded hit highlight.
    */
-  getHitHighlights(object: any, dso: DSpaceObject): string {
+  getHitHighlights(object: any, dso: DSpaceObject, escapeHTML?: boolean): string {
     const types = dso.getRenderTypes();
     const entityType = types
       .filter((type) => typeof type === 'string')
       .find((type: string) => (['Person', 'OrgUnit']).includes(type)) as string;
     if (entityType === 'Person') {
-      const familyName = this.firstMetadataValue(object, dso, 'person.familyName');
-      const givenName = this.firstMetadataValue(object, dso, 'person.givenName');
+      const familyName = this.firstMetadataValue(object, dso, 'person.familyName', escapeHTML);
+      const givenName = this.firstMetadataValue(object, dso, 'person.givenName', escapeHTML);
       if (isEmpty(familyName) && isEmpty(givenName)) {
-        return this.firstMetadataValue(object, dso, 'dc.title') || dso.name;
+        return this.firstMetadataValue(object, dso, 'dc.title', escapeHTML) || dso.name;
       } else if (isEmpty(familyName) || isEmpty(givenName)) {
         return familyName || givenName;
       }
       return `${familyName}, ${givenName}`;
     } else if (entityType === 'OrgUnit') {
-      return this.firstMetadataValue(object, dso, 'organization.legalName') || this.translateService.instant('dso.name.untitled');
+      return this.firstMetadataValue(object, dso, 'organization.legalName', escapeHTML);
     }
-    return this.firstMetadataValue(object, dso, 'dc.title') || dso.name || this.translateService.instant('dso.name.untitled');
+    return this.firstMetadataValue(object, dso, 'dc.title', escapeHTML) || dso.name || this.translateService.instant('dso.name.untitled');
   }
 
   /**
@@ -121,11 +123,12 @@ export class DSONameService {
    * @param object
    * @param dso
    * @param {string|string[]} keyOrKeys The metadata key(s) in scope. Wildcards are supported; see [[Metadata]].
+   * @param escapeHTML Whether the HTML is used inside a `[innerHTML]` attribute
    *
    * @returns {string} the first matching string value, or `undefined`.
    */
-  firstMetadataValue(object: any, dso: DSpaceObject, keyOrKeys: string | string[]): string {
-    return Metadata.firstValue([object.hitHighlights, dso.metadata], keyOrKeys);
+  firstMetadataValue(object: any, dso: DSpaceObject, keyOrKeys: string | string[], escapeHTML?: boolean): string {
+    return Metadata.firstValue(dso.metadata, keyOrKeys, object.hitHighlights, undefined, escapeHTML);
   }
 
 }

src/app/core/shared/dspace-object.model.ts

@@ -118,60 +118,64 @@ export class DSpaceObject extends ListableObject implements CacheableObject {
    * Gets all matching metadata in this DSpaceObject.
    *
    * @param {string|string[]} keyOrKeys The metadata key(s) in scope. Wildcards are supported; see [[Metadata]].
-   * @param {MetadataValueFilter} filter The value filter to use. If unspecified, no filtering will be done.
+   * @param {MetadataValueFilter} valueFilter The value filter to use. If unspecified, no filtering will be done.
+   * @param escapeHTML Whether the HTML is used inside a `[innerHTML]` attribute
    * @returns {MetadataValue[]} the matching values or an empty array.
    */
-  allMetadata(keyOrKeys: string | string[], valueFilter?: MetadataValueFilter): MetadataValue[] {
-    return Metadata.all(this.metadata, keyOrKeys, valueFilter);
+  allMetadata(keyOrKeys: string | string[], valueFilter?: MetadataValueFilter, escapeHTML?: boolean): MetadataValue[] {
+    return Metadata.all(this.metadata, keyOrKeys, undefined, valueFilter, escapeHTML);
   }
 
   /**
    * Like [[allMetadata]], but only returns string values.
    *
    * @param {string|string[]} keyOrKeys The metadata key(s) in scope. Wildcards are supported; see [[Metadata]].
-   * @param {MetadataValueFilter} filter The value filter to use. If unspecified, no filtering will be done.
+   * @param {MetadataValueFilter} valueFilter The value filter to use. If unspecified, no filtering will be done.
+   * @param escapeHTML Whether the HTML is used inside a `[innerHTML]` attribute
    * @returns {string[]} the matching string values or an empty array.
    */
-  allMetadataValues(keyOrKeys: string | string[], valueFilter?: MetadataValueFilter): string[] {
-    return Metadata.allValues(this.metadata, keyOrKeys, valueFilter);
+  allMetadataValues(keyOrKeys: string | string[], valueFilter?: MetadataValueFilter, escapeHTML?: boolean): string[] {
+    return Metadata.allValues(this.metadata, keyOrKeys, undefined, valueFilter, escapeHTML);
   }
 
   /**
    * Gets the first matching MetadataValue object in this DSpaceObject, or `undefined`.
    *
    * @param {string|string[]} keyOrKeys The metadata key(s) in scope. Wildcards are supported; see [[Metadata]].
-   * @param {MetadataValueFilter} filter The value filter to use. If unspecified, no filtering will be done.
+   * @param {MetadataValueFilter} valueFilter The value filter to use. If unspecified, no filtering will be done.
+   * @param escapeHTML Whether the HTML is used inside a `[innerHTML]` attribute
    * @returns {MetadataValue} the first matching value, or `undefined`.
    */
-  firstMetadata(keyOrKeys: string | string[], valueFilter?: MetadataValueFilter): MetadataValue {
-    return Metadata.first(this.metadata, keyOrKeys, valueFilter);
+  firstMetadata(keyOrKeys: string | string[], valueFilter?: MetadataValueFilter, escapeHTML?: boolean): MetadataValue {
+    return Metadata.first(this.metadata, keyOrKeys, undefined, valueFilter, escapeHTML);
   }
 
   /**
    * Like [[firstMetadata]], but only returns a string value, or `undefined`.
    *
    * @param {string|string[]} keyOrKeys The metadata key(s) in scope. Wildcards are supported; see [[Metadata]].
    * @param {MetadataValueFilter} valueFilter The value filter to use. If unspecified, no filtering will be done.
+   * @param escapeHTML Whether the HTML is used inside a `[innerHTML]` attribute
    * @returns {string} the first matching string value, or `undefined`.
    */
-  firstMetadataValue(keyOrKeys: string | string[], valueFilter?: MetadataValueFilter): string {
-    return Metadata.firstValue(this.metadata, keyOrKeys, valueFilter);
+  firstMetadataValue(keyOrKeys: string | string[], valueFilter?: MetadataValueFilter, escapeHTML?: boolean): string {
+    return Metadata.firstValue(this.metadata, keyOrKeys, undefined, valueFilter, escapeHTML);
   }
 
   /**
    * Checks for a matching metadata value in this DSpaceObject.
    *
    * @param {string|string[]} keyOrKeys The metadata key(s) in scope. Wildcards are supported; see [[Metadata]].
-   * @param {MetadataValueFilter} filter The value filter to use. If unspecified, no filtering will be done.
+   * @param {MetadataValueFilter} valueFilter The value filter to use. If unspecified, no filtering will be done.
    * @returns {boolean} whether a match is found.
    */
   hasMetadata(keyOrKeys: string | string[], valueFilter?: MetadataValueFilter): boolean {
-    return Metadata.has(this.metadata, keyOrKeys, valueFilter);
+    return Metadata.has(this.metadata, keyOrKeys, undefined, valueFilter);
   }
 
   /**
    * Find metadata on a specific field and order all of them using their "place" property.
-   * @param key
+   * @param keyOrKeys The metadata key(s) in scope. Wildcards are supported; see [[Metadata]].
    */
   findMetadataSortedByPlace(keyOrKeys: string | string[]): MetadataValue[] {
     return this.allMetadata(keyOrKeys).sort((a: MetadataValue, b: MetadataValue) => {