core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon dotCMS

chore(migration): Migration to self-closing tags

Open nicobytes opened this issue 1 month ago • 2 comments

Proposed Changes

This pull request primarily updates Angular template files across several apps to use self-closing tags for standalone components and elements, improving code consistency and readability. There are no functional or logic changes—these are purely syntactic updates to align with Angular best practices for self-closing components.

The most important changes are:

Template Syntax Consistency:

  • Changed all applicable component tags in HTML templates (such as p-dropdown, p-skeleton, dot-icon, dot-spinner, p-chart, ng-container, p-avatar, dot-copy-link, p-button, p-menu, p-tableHeaderCheckbox, and p-sortIcon) to use self-closing syntax across the dotcdn, dotcms-block-editor, and dotcms-ui apps. This makes the codebase more consistent and easier to maintain. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22]

No business logic, UI, or behavioral changes are introduced—this is a purely structural and stylistic update.

Checklist

  • [ ] Tests
  • [ ] Translations
  • [ ] Security Implications Contemplated (add notes if applicable)

This PR fixes: #34062

nicobytes avatar Dec 09 '25 15:12 nicobytes

Semgrep found 23 ssc-1401e86e-5347-4e09-9335-667e8dfa5deb findings:

  • core-web/libs/ui/src/lib/components/dot-sidebar-accordion/components/dot-sidebar-accordion-tab/dot-sidebar-accordion-tab.component.ts
  • core-web/libs/sdk/angular/src/lib/components/dotcms-block-editor-renderer/blocks/table.component.ts
  • core-web/libs/sdk/angular/src/lib/components/dotcms-block-editor-renderer/blocks/dot-contentlet.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-category-field/components/dot-category-field-list-skeleton/dot-category-field-list-skeleton.component.ts
  • core-web/libs/dot-rules/src/lib/rule-engine.ts
  • core-web/libs/dot-rules/src/lib/rule-engine.container.ts
  • core-web/libs/dot-rules/src/lib/rule-condition-group-component.ts
  • core-web/libs/dot-rules/src/lib/rule-condition-component.ts
  • core-web/libs/dot-rules/src/lib/rule-component.ts
  • core-web/libs/dot-rules/src/lib/rule-action-component.ts
  • core-web/libs/dot-rules/src/lib/push-publish/add-to-bundle-dialog-container.ts
  • core-web/libs/dot-rules/src/lib/push-publish/add-to-bundle-dialog-component.ts
  • core-web/libs/dot-rules/src/lib/modal-dialog/dialog-component.ts
  • core-web/libs/dot-rules/src/lib/custom-types/visitors-location/visitors-location.container.ts
  • core-web/libs/dot-rules/src/lib/custom-types/visitors-location/visitors-location.component.ts
  • core-web/libs/dot-rules/src/lib/condition-types/serverside-condition/serverside-condition.ts
  • core-web/libs/dot-rules/src/lib/components/restdropdown/RestDropdown.ts
  • core-web/libs/dot-rules/src/lib/components/input-date/input-date.ts
  • core-web/libs/dot-rules/src/lib/components/dropdown/dropdown.ts
  • core-web/libs/dot-rules/src/lib/app.component.ts
  • core-web/apps/dotcms-ui/src/app/view/components/main-core-legacy/main-core-legacy-component.ts
  • core-web/apps/dotcms-ui/src/app/portlets/dot-porlet-detail/dot-workflow-task/dot-workflow-task.component.ts
  • core-web/apps/dotcms-ui/src/app/portlets/dot-porlet-detail/dot-contentlets/dot-contentlets.component.ts

Risk: Affected versions of @angular/compiler are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). A stored XSS vulnerability in the Angular Template Compiler arises because its internal security schema doesn't classify certain URL‐ holding attributes (e.g. xlink:href, math|href, annotation|href) or the attributeName binding on SVG animation elements (<animate>, <set>, etc.) as requiring strict URL sanitization. An attacker who can supply untrusted input to template bindings like [attr.xlink:href] or <animate [attributeName]="'href'" [values]="maliciousURL"> can inject a javascript: URL payload. When the element is activated (e.g. clicked) or the animation runs, the malicious script executes in the application's origin, enabling session hijacking, data exfiltration, or unauthorized actions.

Manual Review Advice: A vulnerability from this advisory is reachable if you allow SVG/MathML attributes (e.g., xlink:href, href) or to the attributeName field of SVG animation tags (, , etc.) in HTML templates

Fix: Upgrade this library to at least version 20.3.15 at core/core-web/yarn.lock:557.

Reference(s): https://github.com/advisories/GHSA-v4hv-rgfq-gp49, CVE-2025-66412

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

semgrep-code-dotcms-test[bot] avatar Dec 09 '25 15:12 semgrep-code-dotcms-test[bot]

Legal Risk

The following dependencies were released under a license that has been flagged by your organization for consideration.

Recommendation

While merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue.

GPL-2.0

MPL-2.0

semgrep-code-dotcms-test[bot] avatar Dec 09 '25 18:12 semgrep-code-dotcms-test[bot]