feat(admin): HTML escape in notifications and application forms

* With incorrect input the HTML content is not accepted and the user is notified
* The HTML content is escaped before it is sent to Perun
* the HTML content is escaped in the email footer as well

Author: mattjoke

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+  "angular.enable-strict-mode-prompt": false
+}

apps/admin-gui/src/app/shared/components/dialogs/add-edit-notification-dialog/add-edit-notification-dialog.component.html

@@ -114,7 +114,8 @@ <h1 mat-dialog-title>{{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.TITLE_EDIT' | transl
         </mat-tab>
         <mat-tab
           *ngFor="let lang of languages"
-          label="{{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.LANG_' + lang | uppercase | translate}}">
+          label="{{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.LANG_' + lang | uppercase | translate}}"
+          [formGroup]="inputFormGroup">
           <ng-template matTabContent>
             <perun-web-apps-alert alert_type="info" *ngIf="htmlAuth">
               <i [innerHTML]="'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.FORMAT_INFO' | translate"></i>
@@ -142,42 +143,48 @@ <h1 mat-dialog-title>{{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.TITLE_EDIT' | transl
                       <span class="fw-bold pe-2">
                         {{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.SUBJECT' | translate}}:
                       </span>
-                      <mat-form-field class="w-100">
+                      <mat-form-field class="w-100" subscriptSizing="dynamic">
                         <div #Input>
                           <input
                             *ngIf="format === 'plain_text'"
-                            [(ngModel)]="this.applicationMail.message[lang].subject"
+                            formControlName="{{lang}}-plain-subject"
                             (focus)="isTextFocused = false"
                             matInput />
                           <input
                             *ngIf="format === 'html'"
-                            [(ngModel)]="this.applicationMail.htmlMessage[lang].subject"
+                            formControlName="{{lang}}-html-subject"
                             (focus)="isTextFocused = false"
                             matInput />
                         </div>
+                        <mat-error *ngIf="inputFormGroup.controls[lang + '-html-subject']?.invalid">
+                          {{inputFormGroup.controls[lang + '-html-subject'].errors?.invalidHtmlContent}}
+                        </mat-error>
                       </mat-form-field>
                     </div>
                     <div class="fw-bold">
                       {{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.TEXT' | translate}}:
                     </div>
 
-                    <mat-form-field class="w-100">
+                    <mat-form-field class="w-100" subscriptSizing="dynamic">
                       <div #Textarea>
                         <textarea
                           *ngIf="format === 'plain_text'"
-                          [(ngModel)]="this.applicationMail.message[lang].text"
                           matInput
+                          formControlName="{{lang}}-plain-text"
                           (focus)="isTextFocused = true"
                           rows="17">
                         </textarea>
                         <textarea
                           *ngIf="format === 'html'"
-                          [(ngModel)]="this.applicationMail.htmlMessage[lang].text"
+                          formControlName="{{lang}}-html-text"
                           matInput
                           (focus)="isTextFocused = true"
                           rows="17">
                         </textarea>
                       </div>
+                      <mat-error *ngIf="inputFormGroup.controls[lang + '-html-text']?.invalid">
+                        {{inputFormGroup.controls[lang + '-html-text'].errors?.invalidHtmlContent}}
+                      </mat-error>
                     </mat-form-field>
                   </div>
 
@@ -194,7 +201,6 @@ <h1 mat-dialog-title>{{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.TITLE_EDIT' | transl
         </mat-tab>
       </mat-tab-group>
     </div>
-
     <div class="d-flex mt-auto" mat-dialog-actions>
       <button (click)="cancel()" class="ms-auto" mat-flat-button>
         {{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.CANCEL_BUTTON' | translate}}
@@ -204,23 +210,28 @@ <h1 mat-dialog-title>{{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.TITLE_EDIT' | transl
         *ngIf="data.createMailNotification"
         class="ms-2"
         color="accent"
-        [disabled]="invalidNotification"
+        [disabled]="invalidNotification || inputFormGroup.invalid"
         mat-flat-button>
         {{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.CREATE_BUTTON' | translate}}
       </button>
       <div
         [matTooltipDisabled]="editAuth"
         [matTooltipPosition]="'above'"
         matTooltip="{{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.EDIT_HINT' | translate}}">
-        <button
-          (click)="save()"
-          *ngIf="!data.createMailNotification"
-          class="ms-2"
-          color="accent"
-          [disabled]="!editAuth"
-          mat-flat-button>
-          {{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.SAVE_BUTTON' | translate}}
-        </button>
+        <div
+          [matTooltipDisabled]="!inputFormGroup.invalid"
+          [matTooltipPosition]="'above'"
+          matTooltip="{{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.INVALID_HTML_TAGS' | translate}}">
+          <button
+            (click)="save()"
+            *ngIf="!data.createMailNotification"
+            class="ms-2"
+            color="accent"
+            [disabled]="!editAuth || inputFormGroup.invalid"
+            mat-flat-button>
+            {{'DIALOGS.NOTIFICATIONS_ADD_EDIT_MAIL.SAVE_BUTTON' | translate}}
+          </button>
+        </div>
       </div>
     </div>
   </div>

apps/admin-gui/src/app/shared/components/dialogs/add-edit-notification-dialog/add-edit-notification-dialog.component.scss

@@ -6,3 +6,8 @@
 .disabled-label {
   color: rgba(0, 0, 0, 0.38) !important;
 }
+
+::ng-deep .mat-mdc-form-field-error-wrapper {
+  position: relative !important;
+  word-break: break-word;
+}

apps/admin-gui/src/app/shared/components/dialogs/add-edit-notification-dialog/add-edit-notification-dialog.component.ts

@@ -1,3 +1,4 @@
+import { FormGroup, FormControl } from '@angular/forms';
 import { Component, Inject, OnInit } from '@angular/core';
 import { MAT_DIALOG_DATA, MatDialogRef } from '@angular/material/dialog';
 import { openClose, tagsOpenClose } from '@perun-web-apps/perun/animations';
@@ -6,7 +7,7 @@ import {
   GroupsManagerService,
   RegistrarManagerService,
 } from '@perun-web-apps/perun/openapi';
-import { GuiAuthResolver, StoreService } from '@perun-web-apps/perun/services';
+import { GuiAuthResolver, StoreService, HtmlEscapeService } from '@perun-web-apps/perun/services';
 
 export interface ApplicationFormAddEditMailDialogData {
   theme: string;
@@ -34,14 +35,16 @@ export class AddEditNotificationDialogComponent implements OnInit {
   languages = ['en'];
   formats = ['plain_text', 'html'];
   htmlAuth: boolean;
+  inputFormGroup: FormGroup = null;
 
   constructor(
     private dialogRef: MatDialogRef<AddEditNotificationDialogComponent>,
     private registrarService: RegistrarManagerService,
     @Inject(MAT_DIALOG_DATA) public data: ApplicationFormAddEditMailDialogData,
     private authResolver: GuiAuthResolver,
     private groupsService: GroupsManagerService,
-    private store: StoreService
+    private store: StoreService,
+    private inputEscape: HtmlEscapeService
   ) {}
 
   ngOnInit(): void {
@@ -68,6 +71,31 @@ export class AddEditNotificationDialogComponent implements OnInit {
         'vo-addMail_ApplicationForm_ApplicationMail_policy',
         [vo]
       );
+
+      const formGroupFields: { [key: string]: FormControl } = {};
+      for (const lang of this.languages) {
+        // Plain
+        formGroupFields[`${lang}-plain-subject`] = new FormControl(
+          this.applicationMail.message[lang].subject,
+          []
+        );
+        formGroupFields[`${lang}-plain-text`] = new FormControl(
+          this.applicationMail.message[lang].text,
+          []
+        );
+        // Html
+        formGroupFields[`${lang}-html-subject`] = new FormControl(
+          this.applicationMail.htmlMessage[lang].subject,
+          [this.inputEscape.htmlContentValidator()]
+        );
+        formGroupFields[`${lang}-html-text`] = new FormControl(
+          this.applicationMail.htmlMessage[lang].text,
+          [this.inputEscape.htmlContentValidator()]
+        );
+        formGroupFields[`${lang}-html-subject`].markAsTouched();
+        formGroupFields[`${lang}-html-text`].markAsTouched();
+      }
+      this.inputFormGroup = new FormGroup(formGroupFields);
     }
   }
 
@@ -110,6 +138,26 @@ export class AddEditNotificationDialogComponent implements OnInit {
 
   save(): void {
     this.loading = true;
+    // Validate notification
+    for (const lang of this.languages) {
+      let escaped = this.inputEscape.escapeDangerousHtml(
+        String(this.inputFormGroup.get(`${lang}-html-subject`).value)
+      );
+      this.applicationMail.htmlMessage[lang].subject = escaped.escapedHtml;
+      escaped = this.inputEscape.escapeDangerousHtml(
+        String(this.inputFormGroup.get(`${lang}-html-text`).value)
+      );
+      this.applicationMail.htmlMessage[lang].text = escaped.escapedHtml;
+
+      // Update application with content from FormControl
+      this.applicationMail.message[lang].subject = String(
+        this.inputFormGroup.get(`${lang}-plain-subject`).value
+      );
+      this.applicationMail.message[lang].text = String(
+        this.inputFormGroup.get(`${lang}-plain-text`).value
+      );
+    }
+
     this.registrarService.updateApplicationMail({ mail: this.applicationMail }).subscribe(
       () => {
         this.dialogRef.close(true);

apps/admin-gui/src/app/shared/components/dialogs/edit-application-form-item-dialog/edit-application-form-item-dialog.component.html

@@ -175,11 +175,16 @@ <h1 mat-dialog-title>
             <app-edit-application-form-item-line
               [description]="'DIALOGS.APPLICATION_FORM_EDIT_ITEM.CONTENT_DESCRIPTION' | translate"
               [label]="'DIALOGS.APPLICATION_FORM_EDIT_ITEM.CONTENT' | translate">
-              <mat-form-field class="w-100">
+              <mat-form-field class="w-100" subscriptSizing="dynamic">
                 <textarea
                   [cdkTextareaAutosize]="true"
+                  [formControl]="htmlInput"
                   [(ngModel)]="applicationFormItem.i18n[lang].label"
                   matInput></textarea>
+                <mat-error
+                  *ngIf="htmlInput.invalid && (htmlInput.dirty || htmlInput.touched)"
+                  >{{htmlInput.errors.invalidHtmlContent}}</mat-error
+                >
               </mat-form-field>
             </app-edit-application-form-item-line>
           </div>
@@ -275,18 +280,23 @@ <h1 mat-dialog-title>
           applicationFormItem.federationAttribute !== '' ||
           (applicationFormItem.disabled !== 'ALWAYS' && applicationFormItem.hidden !== 'ALWAYS')"
         matTooltip="{{'DIALOGS.APPLICATION_FORM_EDIT_ITEM.SUBMIT_BUTTON_DISABLED_TOOLTIP' | translate}}">
-        <button
-          mat-flat-button
-          class="ms-2 mt-auto"
-          color="accent"
-          data-cy="edit-form-item-button-dialog"
-          [disabled]="loading || (applicationFormItem.required &&
-            applicationFormItem.perunSourceAttribute === '' &&
-            applicationFormItem.federationAttribute === '' &&
-            (applicationFormItem.disabled === 'ALWAYS' || applicationFormItem.hidden === 'ALWAYS'))"
-          (click)="submit()">
-          {{'DIALOGS.APPLICATION_FORM_EDIT_ITEM.SUBMIT_BUTTON' | translate}}
-        </button>
+        <div
+          [matTooltipDisabled]="!htmlInput.invalid"
+          [matTooltipPosition]="'above'"
+          matTooltip="{{'DIALOGS.APPLICATION_FORM_EDIT_ITEM.HTML_INVALID_TAGS' | translate}}">
+          <button
+            mat-flat-button
+            class="ms-2 mt-auto"
+            color="accent"
+            data-cy="edit-form-item-button-dialog"
+            [disabled]="htmlInput.invalid || loading || (applicationFormItem.required &&
+                    applicationFormItem.perunSourceAttribute === '' &&
+                    applicationFormItem.federationAttribute === '' &&
+                    (applicationFormItem.disabled === 'ALWAYS' || applicationFormItem.hidden === 'ALWAYS'))"
+            (click)="submit()">
+            {{'DIALOGS.APPLICATION_FORM_EDIT_ITEM.SUBMIT_BUTTON' | translate}}
+          </button>
+        </div>
       </div>
     </div>
   </div>

apps/admin-gui/src/app/shared/components/dialogs/edit-application-form-item-dialog/edit-application-form-item-dialog.component.scss

@@ -0,0 +1,4 @@
+::ng-deep .mat-mdc-form-field-error-wrapper {
+  position: relative !important;
+  word-break: break-word;
+}

apps/admin-gui/src/app/shared/components/dialogs/edit-application-form-item-dialog/edit-application-form-item-dialog.component.ts

@@ -13,7 +13,8 @@ import { createNewApplicationFormItem } from '@perun-web-apps/perun/utils';
 import DisabledEnum = ApplicationFormItem.DisabledEnum;
 import HiddenEnum = ApplicationFormItem.HiddenEnum;
 import { ItemType, NO_FORM_ITEM, SelectionItem } from '@perun-web-apps/perun/components';
-import { StoreService } from '@perun-web-apps/perun/services';
+import { HtmlEscapeService, StoreService } from '@perun-web-apps/perun/services';
+import { FormControl } from '@angular/forms';
 
 export interface EditApplicationFormItemDialogComponentData {
   theme: string;
@@ -40,6 +41,7 @@ export class EditApplicationFormItemDialogComponent implements OnInit {
   hiddenValues: HiddenEnum[] = ['NEVER', 'ALWAYS', 'IF_EMPTY', 'IF_PREFILLED'];
   disabledValues: DisabledEnum[] = ['NEVER', 'ALWAYS', 'IF_EMPTY', 'IF_PREFILLED'];
   possibleDependencyItems: ApplicationFormItem[] = [];
+  htmlInput = new FormControl('', [this.escapeService.htmlContentValidator()]);
 
   typesWithUpdatable: Type[] = [
     'VALIDATED_EMAIL',
@@ -86,7 +88,8 @@ export class EditApplicationFormItemDialogComponent implements OnInit {
     private attributesManager: AttributesManagerService,
     private translateService: TranslateService,
     private store: StoreService,
-    private cd: ChangeDetectorRef
+    private cd: ChangeDetectorRef,
+    private escapeService: HtmlEscapeService
   ) {}
 
   ngOnInit(): void {
@@ -131,6 +134,9 @@ export class EditApplicationFormItemDialogComponent implements OnInit {
       this.applicationFormItem.perunSourceAttribute = '';
     }
     this.getOptions();
+
+    this.htmlInput.markAsTouched();
+    this.htmlInput.setValue(this.applicationFormItem.i18n['en'].label);
   }
 
   cancel(): void {
@@ -142,6 +148,20 @@ export class EditApplicationFormItemDialogComponent implements OnInit {
       this.hiddenDependencyItem === NO_FORM_ITEM ? null : this.hiddenDependencyItem.id;
     this.applicationFormItem.disabledDependencyItemId =
       this.disabledDependencyItem === NO_FORM_ITEM ? null : this.disabledDependencyItem.id;
+
+    // Escape forbidden strings
+    if (
+      this.applicationFormItem.type === 'HTML_COMMENT' ||
+      this.applicationFormItem.type === 'HEADING'
+    ) {
+      for (const lang in this.applicationFormItem.i18n) {
+        const o = this.applicationFormItem.i18n[lang];
+        this.applicationFormItem.i18n[lang].label = this.escapeService.escapeDangerousHtml(
+          o.label
+        ).escapedHtml;
+      }
+    }
+
     this.updateOptions();
     this.copy(this.applicationFormItem, this.data.applicationFormItem);
     this.dialogRef.close(true);

apps/admin-gui/src/app/shared/components/dialogs/edit-email-footer-dialog/edit-email-footer-dialog.component.html

@@ -15,18 +15,23 @@ <h1 mat-dialog-title>{{'DIALOGS.NOTIFICATIONS_EDIT_FOOTER.TITLE' | translate}}</
               {{'DIALOGS.NOTIFICATIONS_EDIT_FOOTER.FORMAT_' + format | uppercase | translate}}
             </span>
           </ng-template>
-          <mat-form-field class="w-100">
+          <mat-form-field class="w-100" subscriptSizing="dynamic">
             <textarea *ngIf="format === 'plain_text'" [(ngModel)]="mailFooter" matInput rows="5">
             </textarea>
-            <textarea *ngIf="format === 'html'" [(ngModel)]="htmlMailFooter" matInput rows="5">
+            <textarea *ngIf="format === 'html'" [formControl]="htmlInput" matInput rows="5">
             </textarea>
+            <mat-error *ngIf="htmlInput.invalid && format==='html'">
+              {{htmlInput.errors.invalidHtmlContent}}
+            </mat-error>
           </mat-form-field>
+          <div class="mt-2 font-italic text-muted" *ngIf="format === 'plain_text'">
+            {{'DIALOGS.NOTIFICATIONS_EDIT_FOOTER.DESCRIPTION' | translate}}
+          </div>
+          <div class="mt-2 font-italic text-muted" *ngIf="format === 'html'">
+            {{'DIALOGS.NOTIFICATIONS_EDIT_FOOTER.DESCRIPTION_HTML' | translate}}
+          </div>
         </mat-tab>
       </mat-tab-group>
-
-      <div class="mt-2 font-italic text-muted">
-        {{'DIALOGS.NOTIFICATIONS_EDIT_FOOTER.DESCRIPTION' | translate}}
-      </div>
     </div>
 
     <div mat-dialog-actions>
@@ -37,14 +42,19 @@ <h1 mat-dialog-title>{{'DIALOGS.NOTIFICATIONS_EDIT_FOOTER.TITLE' | translate}}</
         [matTooltipDisabled]="plainEdithAuth"
         [matTooltipPosition]="'above'"
         matTooltip="{{'DIALOGS.NOTIFICATIONS_EDIT_FOOTER.HINT' | translate}}">
-        <button
-          (click)="submit()"
-          [disabled]="loading || !plainEdithAuth"
-          class="ms-2"
-          color="accent"
-          mat-flat-button>
-          {{'DIALOGS.NOTIFICATIONS_EDIT_FOOTER.SUBMIT_BUTTON' | translate}}
-        </button>
+        <div
+          [matTooltipDisabled]="!htmlInput.invalid"
+          [matTooltipPosition]="'above'"
+          matTooltip="{{'DIALOGS.NOTIFICATIONS_EDIT_FOOTER.INVALID_TAGS' | translate}}">
+          <button
+            (click)="submit()"
+            [disabled]="loading || !plainEdithAuth || htmlInput.invalid"
+            class="ms-2"
+            color="accent"
+            mat-flat-button>
+            {{'DIALOGS.NOTIFICATIONS_EDIT_FOOTER.SUBMIT_BUTTON' | translate}}
+          </button>
+        </div>
       </div>
     </div>
   </div>