Fix #319 - Prevent css sanitization

salesagility · Nov 10, 2023 · 41c878e · 41c878e
1 parent bfb6b70
commit 41c878e
Show file tree

Hide file tree

Showing 10 changed files with 117 additions and 19 deletions.
diff --git a/core/app/common/src/lib/record/field.model.ts b/core/app/common/src/lib/record/field.model.ts
@@ -132,6 +132,7 @@ export interface FieldMetadata {
  extraOptions?: Option[];
  onClick?: FieldClickCallback;
  tinymce?: any;
+ trustHTML?: boolean;
  date_time_format?: string;
  displayLogicResetOn?: string;
 

diff --git a/core/app/core/src/lib/fields/base-fields.manifest.ts b/core/app/core/src/lib/fields/base-fields.manifest.ts
@@ -269,6 +269,7 @@ export const baseViewFieldsMap: FieldComponentMap = {
  'bool.detail': BooleanDetailFieldComponent,
  'bool.edit': BooleanEditFieldComponent,
  'bool.filter': BooleanFilterFieldComponent,
+ 'html-native.detail': HtmlDetailFieldComponent,
  'html.detail': TinymceDetailFieldComponent,
  'html.edit': TinymceEditFieldComponent
 };
diff --git a/core/app/core/src/lib/fields/html/templates/detail/html.component.html b/core/app/core/src/lib/fields/html/templates/detail/html.component.html
@@ -1,7 +1,7 @@
 <! --
 /**
 * SuiteCRM is a customer relationship management program developed by SalesAgility Ltd.
-* Copyright (C) 2021 SalesAgility Ltd.
+* Copyright (C) 2023 SalesAgility Ltd.
 *
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU Affero General Public License version 3 as published by the
@@ -25,4 +25,5 @@
 * the words "Supercharged by SuiteCRM".
 */
 -->
-<div class="field-html text-break" [innerHTML]="field.value"></div>
+<div class="field-html text-break" [innerHTML]="!field.metadata?.trustHTML? field.value : (field.value | safeHtml)"></div>
+
diff --git a/core/app/core/src/lib/fields/html/templates/detail/html.component.ts b/core/app/core/src/lib/fields/html/templates/detail/html.component.ts
@@ -1,6 +1,6 @@
 /**
  * SuiteCRM is a customer relationship management program developed by SalesAgility Ltd.
- * Copyright (C) 2021 SalesAgility Ltd.
+ * Copyright (C) 2023 SalesAgility Ltd.
  *
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU Affero General Public License version 3 as published by the

diff --git a/core/app/core/src/lib/fields/html/templates/detail/html.module.ts b/core/app/core/src/lib/fields/html/templates/detail/html.module.ts
@@ -1,6 +1,6 @@
 /**
  * SuiteCRM is a customer relationship management program developed by SalesAgility Ltd.
- * Copyright (C) 2021 SalesAgility Ltd.
+ * Copyright (C) 2023 SalesAgility Ltd.
  *
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU Affero General Public License version 3 as published by the
@@ -28,14 +28,16 @@ import {NgModule} from '@angular/core';
 import {CommonModule} from '@angular/common';
 import {FormsModule} from '@angular/forms';
 import {HtmlDetailFieldComponent} from './html.component';
+import { SafeHtmlModule } from '../../../../pipes/safe-html/safe-html.module'
 
 @NgModule({
  declarations: [HtmlDetailFieldComponent],
  exports: [HtmlDetailFieldComponent],
- imports: [
- CommonModule,
- FormsModule
- ]
+ imports: [
+ CommonModule,
+ FormsModule,
+ SafeHtmlModule,
+ ],
 })
 export class HtmlDetailFieldModule {
 }
diff --git a/core/app/core/src/lib/fields/tinymce/templates/detail/tinymce.component.html b/core/app/core/src/lib/fields/tinymce/templates/detail/tinymce.component.html
@@ -1,7 +1,7 @@
 <! --
 /**
 * SuiteCRM is a customer relationship management program developed by SalesAgility Ltd.
-* Copyright (C) 2021 SalesAgility Ltd.
+* Copyright (C) 2023 SalesAgility Ltd.
 *
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU Affero General Public License version 3 as published by the
@@ -25,9 +25,14 @@
 * the words "Supercharged by SuiteCRM".
 */
 -->
-<editor
- class="field-html text-break"
- [initialValue]="initialValue"
- [init]="settings"
- [disabled]="true"
-></editor>
+<ng-container *ngIf="field?.metadata?.trustHTML">
+ <div class="field-html text-break" [innerHTML]="this.initialValue | safeHtml"></div>
+</ng-container>
+<ng-container *ngIf="!field?.metadata?.trustHTML">
+ <editor
+ class="field-html text-break"
+ [initialValue]="initialValue"
+ [init]="settings"
+ [disabled]="true"
+ ></editor>
+</ng-container>
diff --git a/core/app/core/src/lib/fields/tinymce/templates/detail/tinymce.component.ts b/core/app/core/src/lib/fields/tinymce/templates/detail/tinymce.component.ts
@@ -1,6 +1,6 @@
 /**
  * SuiteCRM is a customer relationship management program developed by SalesAgility Ltd.
- * Copyright (C) 2021 SalesAgility Ltd.
+ * Copyright (C) 2023 SalesAgility Ltd.
  *
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU Affero General Public License version 3 as published by the
@@ -41,7 +41,7 @@ import {FieldLogicDisplayManager} from '../../../field-logic-display/field-logic
 export class TinymceDetailFieldComponent extends BaseFieldComponent {
 
  settings: any = {};
- initialValue: string = '';
+ initialValue = '';
 
  constructor(
  protected typeFormatter: DataTypeFormatter,

diff --git a/core/app/core/src/lib/fields/tinymce/templates/detail/tinymce.module.ts b/core/app/core/src/lib/fields/tinymce/templates/detail/tinymce.module.ts
@@ -1,6 +1,6 @@
 /**
  * SuiteCRM is a customer relationship management program developed by SalesAgility Ltd.
- * Copyright (C) 2021 SalesAgility Ltd.
+ * Copyright (C) 2023 SalesAgility Ltd.
  *
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU Affero General Public License version 3 as published by the
@@ -29,6 +29,8 @@ import {CommonModule} from '@angular/common';
 import {FormsModule, ReactiveFormsModule} from '@angular/forms';
 import {TinymceDetailFieldComponent} from './tinymce.component';
 import {EditorModule, TINYMCE_SCRIPT_SRC} from '@tinymce/tinymce-angular';
+import { SafeHtmlModule } from '../../../../pipes/safe-html/safe-html.module';
+
 
 @NgModule({
  declarations: [TinymceDetailFieldComponent],
@@ -37,7 +39,8 @@ import {EditorModule, TINYMCE_SCRIPT_SRC} from '@tinymce/tinymce-angular';
  CommonModule,
  FormsModule,
  EditorModule,
- ReactiveFormsModule
+ ReactiveFormsModule,
+ SafeHtmlModule
  ],
  providers: [
  {provide: TINYMCE_SCRIPT_SRC, useValue: 'tinymce/tinymce.min.js'}

diff --git a/core/app/core/src/lib/pipes/safe-html/safe-html.module.ts b/core/app/core/src/lib/pipes/safe-html/safe-html.module.ts
@@ -0,0 +1,44 @@
+/**
+ * SuiteCRM is a customer relationship management program developed by SalesAgility Ltd.
+ * Copyright (C) 2023 SalesAgility Ltd.
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU Affero General Public License version 3 as published by the
+ * Free Software Foundation with the addition of the following permission added
+ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
+ * IN WHICH THE COPYRIGHT IS OWNED BY SALESAGILITY, SALESAGILITY DISCLAIMS THE
+ * WARRANTY OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License
+ * version 3, these Appropriate Legal Notices must retain the display of the
+ * "Supercharged by SuiteCRM" logo. If the display of the logos is not reasonably
+ * feasible for technical reasons, the Appropriate Legal Notices must display
+ * the words "Supercharged by SuiteCRM".
+ */
+
+import {NgModule} from '@angular/core';
+import {CommonModule} from '@angular/common';
+import {SafeHtmlPipe} from './safe-html.pipe';
+
+
+@NgModule({
+ declarations: [
+ SafeHtmlPipe
+ ],
+ exports: [
+ SafeHtmlPipe
+ ],
+ imports: [
+ CommonModule
+ ]
+})
+export class SafeHtmlModule {
+}
diff --git a/core/app/core/src/lib/pipes/safe-html/safe-html.pipe.ts b/core/app/core/src/lib/pipes/safe-html/safe-html.pipe.ts
@@ -0,0 +1,41 @@
+/**
+ * SuiteCRM is a customer relationship management program developed by SalesAgility Ltd.
+ * Copyright (C) 2023 SalesAgility Ltd.
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU Affero General Public License version 3 as published by the
+ * Free Software Foundation with the addition of the following permission added
+ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
+ * IN WHICH THE COPYRIGHT IS OWNED BY SALESAGILITY, SALESAGILITY DISCLAIMS THE
+ * WARRANTY OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License
+ * version 3, these Appropriate Legal Notices must retain the display of the
+ * "Supercharged by SuiteCRM" logo. If the display of the logos is not reasonably
+ * feasible for technical reasons, the Appropriate Legal Notices must display
+ * the words "Supercharged by SuiteCRM".
+ */
+
+import {Pipe, PipeTransform} from '@angular/core';
+import {DomSanitizer, SafeHtml} from '@angular/platform-browser';
+
+@Pipe({
+ name: 'safeHtml'
+})
+export class SafeHtmlPipe implements PipeTransform {
+
+ constructor(private sanitizer: DomSanitizer) {
+ }
+
+ transform(value: string): SafeHtml {
+ return this.sanitizer.bypassSecurityTrustHtml(value);
+ }
+}