From fca92ef9e2a10129688472d36fcc57b41813e481 Mon Sep 17 00:00:00 2001
From: GabrielMeyer <meyergabriel@live.de>
Date: Thu, 21 Mar 2019 17:39:57 +0100
Subject: [PATCH] Sanitizing the inner html text.

---
 .../motion-comments.component.html              |  2 +-
 .../motion-comments.component.ts                | 15 ++++++++++++++-
 .../motion-detail/motion-detail.component.html  |  2 +-
 .../motion-detail/motion-detail.component.ts    |  2 +-
 .../personal-note/personal-note.component.html  |  2 +-
 .../personal-note/personal-note.component.ts    | 17 +++++++++++++++--
 6 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/client/src/app/site/motions/modules/motion-detail/components/motion-comments/motion-comments.component.html b/client/src/app/site/motions/modules/motion-detail/components/motion-comments/motion-comments.component.html
index 785191eb1..4d116ef95 100644
--- a/client/src/app/site/motions/modules/motion-detail/components/motion-comments/motion-comments.component.html
+++ b/client/src/app/site/motions/modules/motion-detail/components/motion-comments/motion-comments.component.html
@@ -6,7 +6,7 @@
 
         <ng-container class="meta-text-block-content">
             <ng-container *ngIf="!isCommentEdited(section)">
-                <div *ngIf="comments[section.id]" [innerHTML]="comments[section.id].comment"></div>
+                <div *ngIf="comments[section.id]" [innerHTML]="sanitizeText(comments[section.id].comment)"></div>
                 <div class="no-content" *ngIf="!comments[section.id] || !comments[section.id].comment" translate>
                     No comment
                 </div>
diff --git a/client/src/app/site/motions/modules/motion-detail/components/motion-comments/motion-comments.component.ts b/client/src/app/site/motions/modules/motion-detail/components/motion-comments/motion-comments.component.ts
index b6093931a..cbe357d42 100644
--- a/client/src/app/site/motions/modules/motion-detail/components/motion-comments/motion-comments.component.ts
+++ b/client/src/app/site/motions/modules/motion-detail/components/motion-comments/motion-comments.component.ts
@@ -1,6 +1,6 @@
 import { Component, Input } from '@angular/core';
 import { MatSnackBar } from '@angular/material';
-import { Title } from '@angular/platform-browser';
+import { Title, DomSanitizer, SafeHtml } from '@angular/platform-browser';
 import { FormGroup, FormBuilder } from '@angular/forms';
 
 import { TranslateService } from '@ngx-translate/core';
@@ -65,6 +65,7 @@ export class MotionCommentsComponent extends BaseViewComponent {
      * @param formBuilder Form builder to handle text editing
      * @param operator service to get the sections
      * @param pdfService service to export a comment section to pdf
+     * @param sanitizer to sanitize the inner html text
      * @param titleService set the browser title
      * @param translate the translation service
      * @param matSnackBar showing errors and information
@@ -74,6 +75,7 @@ export class MotionCommentsComponent extends BaseViewComponent {
         private formBuilder: FormBuilder,
         private operator: OperatorService,
         private pdfService: MotionPdfExportService,
+        private sanitizer: DomSanitizer,
         titleService: Title,
         translate: TranslateService,
         matSnackBar: MatSnackBar
@@ -187,4 +189,15 @@ export class MotionCommentsComponent extends BaseViewComponent {
     public pdfExportSection(section: ViewMotionCommentSection): void {
         this.pdfService.exportComment(section, this.motion);
     }
+
+    /**
+     * Sanitize the text to be safe.
+     *
+     * @param text to be sanitized.
+     *
+     * @returns SafeHtml
+     */
+    public sanitizeText(text: string): SafeHtml {
+        return this.sanitizer.bypassSecurityTrustHtml(text);
+    }
 }
diff --git a/client/src/app/site/motions/modules/motion-detail/components/motion-detail/motion-detail.component.html b/client/src/app/site/motions/modules/motion-detail/components/motion-detail/motion-detail.component.html
index 292eeade9..dcba80c95 100644
--- a/client/src/app/site/motions/modules/motion-detail/components/motion-detail/motion-detail.component.html
+++ b/client/src/app/site/motions/modules/motion-detail/components/motion-detail/motion-detail.component.html
@@ -653,7 +653,7 @@
             >
                 <span translate>Reason</span>&nbsp;<span *ngIf="reasonRequired && editMotion">*</span>
             </h3>
-            <div class="motion-text" *ngIf="!editMotion"><div [innerHtml]="motion.reason"></div></div>
+            <div class="motion-text" *ngIf="!editMotion"><div [innerHtml]="sanitizedText(motion.reason)"></div></div>
 
             <!-- The HTML Editor -->
             <editor formControlName="reason" [init]="tinyMceSettings" *ngIf="editMotion" required></editor>
diff --git a/client/src/app/site/motions/modules/motion-detail/components/motion-detail/motion-detail.component.ts b/client/src/app/site/motions/modules/motion-detail/components/motion-detail/motion-detail.component.ts
index 01289c318..95d16594c 100644
--- a/client/src/app/site/motions/modules/motion-detail/components/motion-detail/motion-detail.component.ts
+++ b/client/src/app/site/motions/modules/motion-detail/components/motion-detail/motion-detail.component.ts
@@ -1480,7 +1480,7 @@ export class MotionDetailComponent extends BaseViewComponent implements OnInit,
      * @returns the target to navigate to
      */
     public getPrevUrl(): string {
-        if (this.motion.parent_id) {
+        if (this.motion && this.motion.parent_id) {
             return `../../${this.motion.parent_id}`;
         }
         return '../..';
diff --git a/client/src/app/site/motions/modules/motion-detail/components/personal-note/personal-note.component.html b/client/src/app/site/motions/modules/motion-detail/components/personal-note/personal-note.component.html
index 81a065064..9892ffd9c 100644
--- a/client/src/app/site/motions/modules/motion-detail/components/personal-note/personal-note.component.html
+++ b/client/src/app/site/motions/modules/motion-detail/components/personal-note/personal-note.component.html
@@ -5,7 +5,7 @@
 
     <ng-container class="meta-text-block-content">
         <ng-container *ngIf="!isEditMode">
-            <div *ngIf="motion && motion.personalNote" [innerHTML]="motion.personalNote.note"></div>
+            <div *ngIf="motion && motion.personalNote" [innerHTML]="sanitizeText(motion.personalNote.note)"></div>
             <div class="no-content" *ngIf="!motion || !motion.personalNote" translate>
                 No personal note
             </div>
diff --git a/client/src/app/site/motions/modules/motion-detail/components/personal-note/personal-note.component.ts b/client/src/app/site/motions/modules/motion-detail/components/personal-note/personal-note.component.ts
index 41defd24f..7bc061511 100644
--- a/client/src/app/site/motions/modules/motion-detail/components/personal-note/personal-note.component.ts
+++ b/client/src/app/site/motions/modules/motion-detail/components/personal-note/personal-note.component.ts
@@ -1,6 +1,6 @@
 import { Component, Input } from '@angular/core';
 import { FormBuilder, FormGroup } from '@angular/forms';
-import { Title } from '@angular/platform-browser';
+import { Title, SafeHtml, DomSanitizer } from '@angular/platform-browser';
 
 import { TranslateService } from '@ngx-translate/core';
 
@@ -41,13 +41,15 @@ export class PersonalNoteComponent extends BaseComponent {
      * @param personalNoteService
      * @param formBuilder
      * @param pdfService
+     * @param sanitizer
      */
     public constructor(
         title: Title,
         translate: TranslateService,
         private personalNoteService: PersonalNoteService,
         formBuilder: FormBuilder,
-        private pdfService: MotionPdfExportService
+        private pdfService: MotionPdfExportService,
+        private sanitizer: DomSanitizer
     ) {
         super(title, translate);
         this.personalNoteForm = formBuilder.group({
@@ -94,4 +96,15 @@ export class PersonalNoteComponent extends BaseComponent {
     public printPersonalNote(): void {
         this.pdfService.exportPersonalNote(this.motion.personalNote, this.motion);
     }
+
+    /**
+     * Sanitize the text to be safe.
+     *
+     * @param text to be sanitized.
+     *
+     * @returns SafeHtml
+     */
+    public sanitizeText(text: string): SafeHtml {
+        return this.sanitizer.bypassSecurityTrustHtml(text);
+    }
 }