avoid bad url forging when contact logo from existing org

cmangeat · cmangeat · commit 90404946e7b7 · 2025-10-15T12:58:33.000+02:00
have to use ng-attr-xlink:href or ng-attr-href so to allow expression evalution in angular template for xlink:href.
if 'link' test for '../api/logos', have to href '../api/logos', not '../../images/harvesting'.
diff --git a/web-ui/src/main/resources/catalog/components/utility/UtilityDirective.js b/web-ui/src/main/resources/catalog/components/utility/UtilityDirective.js
@@ -1561,10 +1561,10 @@
           '             viewBox="0 0 500 500">' +
           "    <defs>" +
           '      <pattern id="image{{imageId}}" x="0" y="0" patternUnits="userSpaceOnUse" height="100%" width="100%">' +
-          '        <image ng-if="hasIcon" x="0" y="0" height="100%" width="100%" xlink:href="{{\'../../images/harvesting/\' + orgKey + \'.png\'}}"></image>' +
+          '        <image ng-if="hasIcon" x="0" y="0" height="100%" width="100%" ng-attr-href="{{\'../api/logos/\' + orgKey + \'.png\'}}"  ng-attr-xlink:href="{{\'../api/logos/\' + orgKey + \'.png\'}}"></image>' +
           "      </pattern>" +
           "    </defs>" +
-          '    <circle fill="url(\'#image{{imageId}}\')" style="stroke-miterlimit:10;" cx="250" cy="250" r="240"/>' +
+          '    <circle fill="url(#image{{imageId}})" style="stroke-miterlimit:10;" cx="250" cy="250" r="240"/>' +
           '    <text x="50%" y="50%"' +
           '          text-anchor="middle" alignment-baseline="central" dominant-baseline="central"' +
           "          font-size=\"300\">{{hasIcon ? '' : org.substr(0, 1).toUpperCase()}}</text>" +
