Merge pull request #969 from Esri/enh/security-fix

Added sanitizer to label scan

package.json

@@ -85,6 +85,7 @@
   },
   "dependencies": {
     "@arcgis/core": ">=4.31.0-next.20241016 <4.32",
+    "@esri/arcgis-html-sanitizer": "^4.0.3",
     "@esri/arcgis-rest-auth": "^3.7.0",
     "@esri/arcgis-rest-feature-layer": "^3.7.0",
     "@esri/arcgis-rest-portal": "^3.7.0",

src/components/solution-spatial-ref/test/solution-spatial-ref.e2e.ts

@@ -18,6 +18,10 @@ import { E2EPage, newE2EPage } from '@stencil/core/testing';
 
 describe('solution-spatial-ref', () => {
 
+  beforeAll(() => {
+    console.info = jest.fn();
+  });
+
   let page: E2EPage;
   beforeEach(async () => {
     page = await newE2EPage();

src/components/spatial-ref/test/spatial-ref.e2e.ts

@@ -18,6 +18,10 @@ import { E2EPage, newE2EPage } from '@stencil/core/testing';
 
 describe('spatial-ref', () => {
 
+  beforeAll(() => {
+    console.info = jest.fn();
+  });
+
   let page: E2EPage;
   beforeEach(async () => {
     page = await newE2EPage();

src/utils/downloadUtils.ts

@@ -21,6 +21,7 @@ import { ILabel, exportPDF } from "./pdfUtils";
 import { loadModules } from "./loadModules";
 import { queryFeaturesByID } from "./queryUtils";
 import { IExportInfo, IExportInfos } from "../utils/interfaces";
+import { Sanitizer } from "@esri/arcgis-html-sanitizer";
 import * as common from "@esri/solution-common";
 
 export { ILabel } from "./pdfUtils";
@@ -277,12 +278,14 @@ export function _cleanupLabel(
   // Replace \n with the line separator character
   labelText = labelText.replace(/\n/gi, "|");
 
-  // Remove remaining HTML tags, replace 0xA0 that popup uses for spaces, and replace some char representations
+  // Remove tricky stuff
+  const sanitizer = new Sanitizer();
+  labelText = sanitizer.sanitize(labelText);
+
+  // Remove remaining HTML tags, replace 0xA0 that popup uses for spaces, and replace  
   labelText = labelText
     .replace(/<[\s.]*[^<>]*\/?>/gi, "")
     .replace(/\xA0/gi, " ")
-    .replace(/&lt;/gi, "<")
-    .replace(/&gt;/gi, ">")
     .replace(/&nbsp;/gi, " ");
 
   // Trim each line

src/utils/test/downloadUtils.spec.tsx

@@ -93,8 +93,16 @@ describe("downloadUtils", () => {
 
     it("handles some special characters", () => {
       const labelText =
-        "<div style='text-align: left;'>&lt;{NAME}&gt;<br />{STREET}<br/>{CITY},&nbsp;{STATE}&nbsp;{ZIP}<br></div>";
-      const expectedCleanedText = "<{NAME}>|{STREET}|{CITY}, {STATE} {ZIP}";
+        "<div style='text-align: left;'>&lt;{NAME}&gt;<br />{STREET}<br/>{CITY},&nbsp;{STATE}\xA0{ZIP}<br></div>";
+      const expectedCleanedText = "&lt;{NAME}&gt;|{STREET}|{CITY}, {STATE} {ZIP}";
+
+      const result: string = downloadUtils._cleanupLabel(labelText);
+      expect(result).toEqual(expectedCleanedText);
+    });
+
+    it("handles embedded script tag", () => {
+      const labelText = "<scrip<script>is removed</script>t>alert(123)</script>";
+      const expectedCleanedText = "&lt;scrip&lt;script&gt;is removed&lt;/script&gt;t&gt;alert(123)&lt;/script&gt;";
 
       const result: string = downloadUtils._cleanupLabel(labelText);
       expect(result).toEqual(expectedCleanedText);
@@ -188,16 +196,6 @@ describe("downloadUtils", () => {
       expect(result.format).toEqual(expectedLabelSpec);
     });
 
-    it("handles some special characters", () => {
-      const popupInfo =
-        "<div style='text-align: left;'>&lt;{NAME}&gt;<br />{STREET}<br/>{CITY},&nbsp;{STATE}&nbsp;{ZIP}<br></div>";
-      const expectedLabelSpec = "<{NAME}>|{STREET}|{CITY}, {STATE} {ZIP}";
-
-      const result: downloadUtils.ILabelFormat = downloadUtils._convertPopupTextToLabelSpec(popupInfo);
-      expect(result.type).toEqual("pattern");
-      expect(result.format).toEqual(expectedLabelSpec);
-    });
-
   });
 
   describe("_convertPopupArcadeToLabelSpec", () => {