Escape html tags in innerHTML

[alexandrevryghem]

References

• Fixes HTML tags in administrative workflow view are being evaluated #1495
• Requires Escape HTML tags in hit highlights DSpace#11345

Description

Escapes HTML tags in content injected into the DOM using the innerHTML attribute.

Instructions for Reviewers

List of changes in this PR:

• Updated most of the places that inject metadata directly into the HTML DOM to set the injectedAsHTML to true
• Updated the Metadata util class to escape HTML tags for all the content that is injectedAsHTML

*Guidance for how to test or review this PR:

• Verify that the item/collection & community pages still render the HTML tags in the fields where this is enabled
• Verify that the search results always escaped the HTML tags

Checklist

• My PR is created against the main branch of code (unless it is a backport or is fixing an issue specific to an older branch).
• My PR is small in size (e.g. less than 1,000 lines of code, not including comments & specs/tests), or I have provided reasons as to why that's not possible.
• My PR passes ESLint validation using npm run lint
• My PR doesn't introduce circular dependencies (verified via npm run check-circ-deps)
• My PR includes TypeDoc comments for all new (or modified) public methods and classes. It also includes TypeDoc for large or complex private methods.
• My PR passes all specs/tests and includes new/updated specs or tests based on the Code Testing Guide.
• My PR aligns with Accessibility guidelines if it makes changes to the user interface.
• My PR uses i18n (internationalization) keys instead of hardcoded English text, to allow for translations.
• My PR includes details on how to test it. I've provided clear instructions to reviewers on how to successfully test this fix or feature.
• If my PR includes new libraries/dependencies (in package.json), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.
• If my PR includes new features or configurations, I've provided basic technical documentation in the PR itself.
• If my PR fixes an issue ticket, I've linked them together.

[artlowel]

@alexandrevryghem We reviewed this PR as a group in the developer meeting today, and we were wondering why you kept the escape all the way in metadata.utils.ts which means you had to add that injectedAsHTML to a bunch of different methods and calls across the app. Did you consider moving it up to a higher level?

[alexandrevryghem]

By doing it this way we can easily customize which fields should still render HTML content, by simply updating the code in MetadataUtils to not run the escape for a certain set of keyOrKeys.

By updating the code like this, the abstract metadata field could still render links for example, but the other fields like titel and authors wouldn’t.

if (injectedAsHTML && ! keyOrKeys.includes(‘dc.description.abstract’)) {
 matches.push(Object.assign(new MetadataValue(), candidate, {
  value: escape(candidate.value),
 }));
} else {
 matches.push(candidate as MetadataValue);
}

[tdonohue]

@alexandrevryghem : Thanks for this PR as well. I tested this today alongside DSpace/DSpace#11345. It works well, and I can verify that HTML is now escaped (by default) the same across the application.

My only recommendation though is to consider a rename of the injectedAsHTML field (and simply call it escapeHTML or similar). I find the current name confusing because it doesn't accurately describe what happens when you pass in true. If you pass true, that doesn't cause the value to be injected elsewhere as HTML. Instead, a value of true causes any HTML to be escaped in the output.

That's my only minor comment. Beyond that, the rest looks good to me.