refactor(@angular/build): improve HTML Code Sanitization in Manifest

alan-agius4 · alan-agius4 · commit 1a933c9dd391 · 2024-09-26T17:54:43.000+02:00
See: https://github.com/angular/angular-cli/security/code-scanning/74
diff --git a/packages/angular/build/src/utils/server-rendering/manifest.ts b/packages/angular/build/src/utils/server-rendering/manifest.ts
@@ -20,6 +20,35 @@ export const SERVER_APP_ENGINE_MANIFEST_FILENAME = 'angular-app-engine-manifest.
 
 const MAIN_SERVER_OUTPUT_FILENAME = 'main.server.mjs';
 
+/**
+ * A mapping of unsafe characters to their escaped Unicode equivalents.
+ */
+const UNSAFE_CHAR_MAP: Record<string, string> = {
+  '<': '\\u003C',
+  '>': '\\u003E',
+  '/': '\\u002F',
+  '\\': '\\\\',
+  '\b': '\\b',
+  '\f': '\\f',
+  '\n': '\\n',
+  '\r': '\\r',
+  '\t': '\\t',
+  '\0': '\\0',
+  '\u2028': '\\u2028',
+  '\u2029': '\\u2029',
+};
+
+/**
+ * Escapes unsafe characters in a given string by replacing them with
+ * their Unicode escape sequences.
+ *
+ * @param str - The string to be escaped.
+ * @returns The escaped string where unsafe characters are replaced.
+ */
+function escapeUnsafeChars(str: string): string {
+  return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, (c) => UNSAFE_CHAR_MAP[c]);
+}
+
 /**
  * Generates the server manifest for the App Engine environment.
  *
@@ -120,7 +149,9 @@ export function generateAngularServerAppManifest(
       file.path === INDEX_HTML_CSR ||
       (inlineCriticalCss && file.path.endsWith('.css'))
     ) {
-      serverAssetsContent.push(`['${file.path}', async () => ${JSON.stringify(file.text)}]`);
+      serverAssetsContent.push(
+        `['${file.path}', async () => ${escapeUnsafeChars(JSON.stringify(file.text))}]`,
+      );
     }
   }
 
