Assert sanitization is strong enough

Ecodev · Sep 6, 2024 · 3a3dfed · 3a3dfed
1 parent cb2f89c
commit 3a3dfed
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/projects/natural/src/lib/modules/common/services/seo.service.spec.ts b/projects/natural/src/lib/modules/common/services/seo.service.spec.ts
@@ -38,6 +38,11 @@ describe('stripTags', () => {
         expect(stripTags('<STRONG>foo<STRONG> <strong>bar</strong> <em>baz</em>')).toBe('foo bar baz');
         expect(stripTags('foo <br/>bar')).toBe('foo bar');
         expect(stripTags('<strong>one</strong> > two > three')).toBe('one > two > three');
+        expect(stripTags('<scrip<script>is removed</script>t>alert(123)</script>')).toBe('is removedt>alert(123)'); // Broken but safe HTML
+        expect(stripTags('<!<!--- comment --->>')).toBe('>'); // Broken but safe HTML
+        expect(stripTags('a<>b')).toBe('ab');
+        expect(stripTags('a</>b')).toBe('ab');
+        expect(stripTags('a<>b</>c')).toBe('abc');
     });
 });
 

diff --git a/projects/natural/src/lib/modules/common/services/seo.service.ts b/projects/natural/src/lib/modules/common/services/seo.service.ts
@@ -116,7 +116,7 @@ export type NaturalSeoConfig = NaturalSeoConfigPlain | Observable<NaturalSeoConf
 export const NATURAL_SEO_CONFIG = new InjectionToken<NaturalSeoConfig>('Configuration for SEO service');
 
 export function stripTags(str: string): string {
-    return str.replace(/<\/?[^>]+>/g, '');
+    return str.replace(/<\/?[^>]*>/g, '');
 }
 
 type Model = {