Skip to content

Commit 1a933c9

Browse files
committed
refactor(@angular/build): improve HTML Code Sanitization in Manifest
See: https://github.com/angular/angular-cli/security/code-scanning/74
1 parent 1d70e3b commit 1a933c9

File tree

1 file changed

+32
-1
lines changed
  • packages/angular/build/src/utils/server-rendering

1 file changed

+32
-1
lines changed

packages/angular/build/src/utils/server-rendering/manifest.ts

Lines changed: 32 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,35 @@ export const SERVER_APP_ENGINE_MANIFEST_FILENAME = 'angular-app-engine-manifest.
2020

2121
const MAIN_SERVER_OUTPUT_FILENAME = 'main.server.mjs';
2222

23+
/**
24+
* A mapping of unsafe characters to their escaped Unicode equivalents.
25+
*/
26+
const UNSAFE_CHAR_MAP: Record<string, string> = {
27+
'<': '\\u003C',
28+
'>': '\\u003E',
29+
'/': '\\u002F',
30+
'\\': '\\\\',
31+
'\b': '\\b',
32+
'\f': '\\f',
33+
'\n': '\\n',
34+
'\r': '\\r',
35+
'\t': '\\t',
36+
'\0': '\\0',
37+
'\u2028': '\\u2028',
38+
'\u2029': '\\u2029',
39+
};
40+
41+
/**
42+
* Escapes unsafe characters in a given string by replacing them with
43+
* their Unicode escape sequences.
44+
*
45+
* @param str - The string to be escaped.
46+
* @returns The escaped string where unsafe characters are replaced.
47+
*/
48+
function escapeUnsafeChars(str: string): string {
49+
return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, (c) => UNSAFE_CHAR_MAP[c]);
50+
}
51+
2352
/**
2453
* Generates the server manifest for the App Engine environment.
2554
*
@@ -120,7 +149,9 @@ export function generateAngularServerAppManifest(
120149
file.path === INDEX_HTML_CSR ||
121150
(inlineCriticalCss && file.path.endsWith('.css'))
122151
) {
123-
serverAssetsContent.push(`['${file.path}', async () => ${JSON.stringify(file.text)}]`);
152+
serverAssetsContent.push(
153+
`['${file.path}', async () => ${escapeUnsafeChars(JSON.stringify(file.text))}]`,
154+
);
124155
}
125156
}
126157

0 commit comments

Comments
 (0)