Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fix unsanitized untrusted input v2 #20092

Open
wants to merge 20 commits into
base: develop
Choose a base branch
from
Open

fix: fix unsanitized untrusted input v2 #20092

wants to merge 20 commits into from

Conversation

andreighervan7
Copy link
Contributor

ticket: CXSPA-8078

@andreighervan7 andreighervan7 requested review from a team as code owners March 18, 2025 13:24
@github-actions github-actions bot marked this pull request as draft March 18, 2025 13:24
@andreighervan7 andreighervan7 marked this pull request as ready for review March 24, 2025 08:59
@github-actions github-actions bot marked this pull request as draft March 24, 2025 09:00
@github-actions GitHub Actions
Copy link
Contributor

Merge Checks Failed

Please push a commit to re-trigger the build.
To push an empty commit you can use `git commit --allow-empty -m "Trigger Build"`

@andreighervan7 andreighervan7 marked this pull request as ready for review March 24, 2025 14:37
@github-actions GitHub Actions
Copy link
Contributor

Merge Checks Failed

Please push a commit to re-trigger the build.
To push an empty commit you can use `git commit --allow-empty -m "Trigger Build"`

rmch91
rmch91 requested changes Mar 25, 2025
View reviewed changes
projects/core/src/occ/adapters/product/converters/product-name-normalizer.ts
import { Product } from '../../../../model/product.model';
import { Converter } from '../../../../util/converter.service';
import { OccConfig } from '../../../config/occ-config';
import { Occ } from '../../../occ-models/occ.models';
import { SanitizeService } from '@spartacus/core';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ProductNameNormalizer is a part of core library, and now you add dependency on '@spartacus/core', so it dependent from itself. Because of this CI failed, you can check it in github and reproduce also locally by running npm run build:core
image

projects/core/src/config/services/sanitize.service.ts
@Injectable({
providedIn: 'root',
})
export class SanitizeService {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before I told only that if adding @angular/platform-browser as a peerDependency is a breaking change, to workaround we can create a wrapper in the core lib. But Kris confirmed that this peerDependency is safe, in this case we don't need a wrapper.
IMO creating new services files should solve some problem, if we don't have any problem with '@angular/platform-browser' as a peerDependency of product-configurator, there is no need to produce additional code.

projects/core/src/config/services/sanitize.service.ts
providedIn: 'root',
})
export class SanitizeService {
constructor(private sanitizer: DomSanitizer) {}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As wrote above, I think we don't need this service, but just a reminder for the future - we should use inject instead of constructors for the DI. It will help to avoid breaking changes in feature, since any change in the constructor is breaking for customers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ercultimate ercultimate ercultimate left review comments

@rmch91 rmch91 rmch91 requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andreighervan7 @ercultimate @rmch91