Merged in task/dspace-cris-2024_02_x/DSC-2609 (pull request DSpace#3895)

[DSC-2609] sanitize schema for structured data, fix schema decorator

Approved-by: Giuseppe Digilio

Author: FrancescoMolinaro

src/app/app.config.ts

@@ -57,6 +57,7 @@ import { AuthInterceptor } from './core/auth/auth.interceptor';
 import { DspaceRestInterceptor } from './core/dspace-rest/dspace-rest.interceptor';
 import { LocaleInterceptor } from './core/locale/locale.interceptor';
 import { LogInterceptor } from './core/log/log.interceptor';
+import { schemaModels } from './core/metadata/schema-json-ld/schema-types/provide-schema';
 import {
   models,
   provideCore,
@@ -169,3 +170,4 @@ const metadataRepresentations = METADATA_REPRESENTATION_COMPONENT_DECORATOR_MAP;
 const startsWithDecoratorMap = STARTS_WITH_DECORATOR_MAP;
 const browseByDecoratorMap = BROWSE_BY_DECORATOR_MAP;
 const authMethodForDecoratorMap = AUTH_METHOD_FOR_DECORATOR_MAP;
+const schemaModelList = schemaModels;

src/app/core/metadata/schema-json-ld/schema-json-ld.service.ts

@@ -3,6 +3,7 @@ import {
   Inject,
   Injectable,
 } from '@angular/core';
+import { DomSanitizer } from '@angular/platform-browser';
 
 import {
   isEmpty,
@@ -20,7 +21,10 @@ import {
 export class SchemaJsonLDService {
   static scriptType = 'application/ld+json';
 
-  constructor(@Inject(DOCUMENT) private _document: Document) {}
+  constructor(
+    @Inject(DOCUMENT) private _document: Document,
+    protected sanitizer: DomSanitizer,
+  ) {}
 
   removeStructuredData(): void {
     const els = [];
@@ -66,7 +70,7 @@ export class SchemaJsonLDService {
     }
 
     if (isNotEmpty(constructor)) {
-      const provider: SchemaType = new constructor();
+      const provider: SchemaType = new constructor(this.sanitizer);
       return provider.getSchema(item);
     } else {
       return null;

src/app/core/metadata/schema-json-ld/schema-types/provide-schema.ts

@@ -0,0 +1,24 @@
+import { PersonSchemaType } from './Person/person-schema-type';
+import { ProductCreativeWorkSchemaType } from './product/product-creative-work-schema-type';
+import { ProductDatasetSchemaType } from './product/product-dataset-schema-type';
+import { PublicationBookSchemaType } from './publication/publication-book-schema-type';
+import { PublicationChapterSchemaType } from './publication/publication-chapter-schema-type';
+import { PublicationCreativeWorkSchemaType } from './publication/publication-creative-work-schema-type';
+import { PublicationReportSchemaType } from './publication/publication-report-schema-type';
+import { PublicationScholarlyArticleSchemaType } from './publication/publication-scholarly-article-schema-type';
+import { PublicationThesisSchemaType } from './publication/publication-thesis-schema-type';
+
+/**
+ * Declaration needed to make sure all decorator functions are called in time
+ */
+export const schemaModels = [
+  PersonSchemaType,
+  ProductCreativeWorkSchemaType,
+  ProductDatasetSchemaType,
+  PublicationBookSchemaType,
+  PublicationChapterSchemaType,
+  PublicationCreativeWorkSchemaType,
+  PublicationReportSchemaType,
+  PublicationScholarlyArticleSchemaType,
+  PublicationThesisSchemaType,
+];

src/app/core/metadata/schema-json-ld/schema-types/schema-type.ts

@@ -1,9 +1,13 @@
+import { SecurityContext } from '@angular/core';
+import { DomSanitizer } from '@angular/platform-browser';
 import isObject from 'lodash/isObject';
 
 import { isNotEmpty } from '../../../../shared/empty.util';
 import { Item } from '../../../shared/item.model';
 
 export abstract class SchemaType {
+  constructor(protected sanitizer: DomSanitizer) {}
+
   protected abstract createSchema(item: Item): Record<string, any>;
   protected abstract createSchema(item: Item): Record<string, any>;
 
@@ -31,7 +35,35 @@ export abstract class SchemaType {
     }
   }
 
+  protected sanitizeSchema(obj: any):  Record<string, any> {
+    if (Array.isArray(obj)) {
+      return obj.map(v =>
+        typeof v === 'string'
+          ? this.sanitizer.sanitize(SecurityContext.HTML, v)
+          : this.sanitizeSchema(v),
+      );
+    }
+
+    if (typeof obj === 'object' && obj !== null) {
+      const sanitized: Record<string, any> = {};
+      for (const key in obj) {
+        if (obj.hasOwnProperty(key)) {
+          const value = obj[key];
+          sanitized[key] =
+            typeof value === 'string'
+              ? this.sanitizer.sanitize(SecurityContext.HTML, value)
+              : this.sanitizeSchema(value);
+        }
+      }
+      return sanitized;
+    }
+
+    return obj;
+  }
+
+
   getSchema(item: Item): Record<string, any> {
-    return SchemaType.removeEmpty(this.createSchema(item));
+    const sanitizedRaw = this.sanitizeSchema(this.createSchema(item));
+    return SchemaType.removeEmpty(sanitizedRaw);
   }
 }