@hmcts/ccd-case-ui-toolkit 7.2.45 → 7.2.46-2673

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/esm2022/lib/shared/services/form/form-validators.service.mjs +13 -3
  2. package/fesm2022/hmcts-ccd-case-ui-toolkit.mjs +12 -2
  3. package/fesm2022/hmcts-ccd-case-ui-toolkit.mjs.map +1 -1
  4. package/lib/shared/services/form/form-validators.service.d.ts.map +1 -1
  5. package/package.json +1 -1
package/esm2022/lib/shared/services/form/form-validators.service.mjs CHANGED
@@ -52,10 +52,20 @@ export class FormValidatorsService {
52
52
  return validator;
53
53
  }
54
54
  static markDownPatternValidator() {
55
- const pattern = /(\[[^\]]{0,500}\]\([^)]{0,500}\)|!\[[^\]]{0,500}\]\([^)]{0,500}\)|<img[^>]{0,500}>|<a[^>]{0,500}>.*?<\/a>)/;
55
+ const aTagPattern = /<a\b[^>]*(>|$)/i;
56
+ const pattern = /(\[[^\]]{0,500}\]\([^)]{0,500}\)|!\[[^\]]{0,500}\]\([^)]{0,500}\)|<img\b[^>]{0,500}(?:>|$))/i;
57
+ const hasDangerousAttrs = /\bon\w+\s*=/i;
58
+ const hasJsProtocol = /(?:src|href)\s*=\s*["']?\s*javascript:/i;
56
59
  return (control) => {
57
60
  const value = control?.value?.toString().trim();
58
- return (value && pattern.test(value)) ? { markDownPattern: {} } : null;
61
+ if (value &&
62
+ (pattern.test(value) ||
63
+ aTagPattern.test(value) ||
64
+ hasDangerousAttrs.test(value) ||
65
+ hasJsProtocol.test(value))) {
66
+ return { markDownPattern: {} };
67
+ }
68
+ return null;
59
69
  };
60
70
  }
61
71
  // TODO: Strip this out as it's only here for the moment because
@@ -79,4 +89,4 @@ export class FormValidatorsService {
79
89
  (() => { (typeof ngDevMode === "undefined" || ngDevMode) && i0.ɵsetClassMetadata(FormValidatorsService, [{
80
90
  type: Injectable
81
91
  }], null, null); })();
82
- //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZm9ybS12YWxpZGF0b3JzLnNlcnZpY2UuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi8uLi8uLi8uLi9wcm9qZWN0cy9jY2QtY2FzZS11aS10b29sa2l0L3NyYy9saWIvc2hhcmVkL3NlcnZpY2VzL2Zvcm0vZm9ybS12YWxpZGF0b3JzLnNlcnZpY2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLFVBQVUsRUFBRSxNQUFNLGVBQWUsQ0FBQztBQUMzQyxPQUFPLEVBQWtELFVBQVUsRUFBRSxNQUFNLGdCQUFnQixDQUFDO0FBRTVGLE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSx5QkFBeUIsQ0FBQzs7QUFLcEQsTUFBTSxPQUFPLHFCQUFxQjtJQUN4QixNQUFNLENBQVUsc0JBQXNCLEdBQW9CO1FBQ2hFLE1BQU0sRUFBRSxVQUFVLEVBQUUsT0FBTyxFQUFFLGNBQWM7S0FDNUMsQ0FBQztJQUNNLE1BQU0sQ0FBVSxrQkFBa0IsR0FBRyxNQUFNLENBQUM7SUFDNUMsTUFBTSxDQUFVLHNCQUFzQixHQUFHLFdBQVcsQ0FBQztJQUV0RCxNQUFNLENBQUMsYUFBYSxDQUFDLFNBQW9CLEVBQUUsT0FBd0I7UUFDeEUsSUFDRSxTQUFTLENBQUMsZUFBZSxLQUFLLFNBQVMsQ0FBQyxTQUFTO1lBQ2pELHFCQUFxQixDQUFDLHNCQUFzQixDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQyxFQUN0RixDQUFDO1lBQ0QsTUFBTSxVQUFVLEdBQUcsQ0FBQyxVQUFVLENBQUMsUUFBUSxDQUFDLENBQUM7WUFDekMsSUFBSSxTQUFTLENBQUMsVUFBVSxDQUFDLElBQUksS0FBSyxNQUFNLEVBQUUsQ0FBQztnQkFDekMsVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsd0JBQXdCLEVBQUUsQ0FBQyxDQUFDO2dCQUNqRCxJQUFJLFNBQVMsQ0FBQyxVQUFVLENBQUMsa0JBQWtCLEVBQUUsQ0FBQztvQkFDNUMsVUFBVSxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLFNBQVMsQ0FBQyxVQUFVLENBQUMsa0JBQWtCLENBQUMsQ0FBQyxDQUFDO2dCQUMvRSxDQUFDO3FCQUFNLENBQUM7b0JBQ04sVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUMsQ0FBQztnQkFDekMsQ0FBQztnQkFDRCxJQUFJLFNBQVMsQ0FBQyxVQUFVLENBQUMsR0FBRyxJQUFJLENBQUMsT0FBTyxTQUFTLENBQUMsVUFBVSxDQUFDLEdBQUcsS0FBSyxRQUFRLENBQUMsRUFBRSxDQUFDO29CQUMvRSxVQUFVLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxTQUFTLENBQUMsU0FBUyxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO2dCQUNsRSxDQUFDO2dCQUNELElBQUksU0FBUyxDQUFDLFVBQVUsQ0FBQyxHQUFHLElBQUksQ0FBQyxPQUFPLFNBQVMsQ0FBQyxVQUFVLENBQUMsR0FBRyxLQUFLLFFBQVEsQ0FBQyxFQUFFLENBQUM7b0JBQy9FLFVBQVUsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQyxTQUFTLENBQUMsVUFBVSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7Z0JBQ2xFLENBQUM7WUFDSCxDQUFDO1lBRUQsSUFBSSxTQUFTLENBQUMsVUFBVSxDQUFDLElBQUksS0FBSyxVQUFVLEVBQUUsQ0FBQztnQkFDN0MsVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUMsQ0FBQztnQkFDdkMsVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsd0JBQXdCLEVBQUUsQ0FBQyxDQUFDO1lBQ25ELENBQUM7WUFFRCxJQUFJLE9BQU8sQ0FBQyxTQUFTLEVBQUUsQ0FBQztnQkFDdEIsVUFBVSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsU0FBUyxDQUFDLENBQUM7WUFDckMsQ0FBQztZQUNELE9BQU8sQ0FBQyxhQUFhLENBQUMsVUFBVSxDQUFDLENBQUM7UUFDcEMsQ0FBQzthQUFNLElBQUksU0FBUyxDQUFDLGVBQWUsS0FBSyxVQUFVLElBQUksQ0FBQyxTQUFTLENBQUMsVUFBVSxDQUFDLElBQUksS0FBSyxNQUFNLElBQUksU0FBUyxDQUFDLFVBQVUsQ0FBQyxJQUFJLEtBQUssVUFBVSxDQUFDO2VBQ3RJLENBQUMsU0FBUyxDQUFDLGVBQWUsS0FBSyxTQUFTLElBQUksU0FBUyxDQUFDLFVBQVUsQ0FBQyxJQUFJLEtBQUssU0FBUyxDQUFDLEVBQUUsQ0FBQztZQUN4RixPQUFPLENBQUMsYUFBYSxDQUFDLElBQUksQ0FBQyx3QkFBd0IsRUFBRSxDQUFDLENBQUM7UUFDekQsQ0FBQztRQUVELE9BQU8sT0FBTyxDQUFDO0lBQ2pCLENBQUM7SUFFTSxNQUFNLENBQUMsY0FBYztRQUMxQixNQUFNLFNBQVMsR0FBRyxDQUFDLE9BQXdCLEVBQTBCLEVBQUU7WUFDckUsSUFBSSxPQUFPLEVBQUUsS0FBSyxFQUFFLFFBQVEsRUFBRSxDQUFDLElBQUksRUFBRSxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQztnQkFDbkQsT0FBTyxFQUFFLFFBQVEsRUFBRSxFQUFFLEVBQUUsQ0FBQztZQUMxQixDQUFDO1lBQ0QsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDLENBQUM7UUFDRixPQUFPLFNBQVMsQ0FBQztJQUNuQixDQUFDO0lBRU0sTUFBTSxDQUFDLHdCQUF3QjtRQUNwQyxNQUFNLE9BQU8sR0FBRyw0R0FBNEcsQ0FBQztRQUU3SCxPQUFPLENBQUMsT0FBd0IsRUFBMkIsRUFBRTtZQUMzRCxNQUFNLEtBQUssR0FBRyxPQUFPLEVBQUUsS0FBSyxFQUFFLFFBQVEsRUFBRSxDQUFDLElBQUksRUFBRSxDQUFDO1lBQ2hELE9BQU8sQ0FBQyxLQUFLLElBQUksT0FBTyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxFQUFFLGVBQWUsRUFBRSxFQUFFLEVBQUUsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDO1FBQ3pFLENBQUMsQ0FBQztJQUNKLENBQUM7SUFFRCxnRUFBZ0U7SUFDaEUsa0VBQWtFO0lBQ2xFLGlFQUFpRTtJQUNqRSxzQkFBc0I7SUFDZixhQUFhLENBQUMsU0FBb0IsRUFBRSxPQUF3QjtRQUNqRSxPQUFPLHFCQUFxQixDQUFDLGFBQWEsQ0FBQyxTQUFTLEVBQUUsT0FBTyxDQUFDLENBQUM7SUFDakUsQ0FBQztJQUVNLHFCQUFxQixDQUFDLFNBQTBCLEVBQUUsV0FBbUI7UUFDMUUsTUFBTSxPQUFPLEdBQUcsU0FBUyxDQUFDLEdBQUcsQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUMzQyxJQUFJLE9BQU8sRUFBRSxDQUFDO1lBQ1osT0FBTyxDQUFDLGFBQWEsQ0FBQyxxQkFBcUIsQ0FBQyx3QkFBd0IsRUFBRSxDQUFDLENBQUM7WUFDeEUsT0FBTyxDQUFDLHNCQUFzQixFQUFFLENBQUM7UUFDbkMsQ0FBQztRQUNELE9BQU8sT0FBTyxDQUFDO0lBQ2pCLENBQUM7K0dBL0VVLHFCQUFxQjtnRUFBckIscUJBQXFCLFdBQXJCLHFCQUFxQjs7aUZBQXJCLHFCQUFxQjtjQURqQyxVQUFVIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgSW5qZWN0YWJsZSB9IGZyb20gJ0Bhbmd1bGFyL2NvcmUnO1xuaW1wb3J0IHsgQWJzdHJhY3RDb250cm9sLCBWYWxpZGF0aW9uRXJyb3JzLCBWYWxpZGF0b3JGbiwgVmFsaWRhdG9ycyB9IGZyb20gJ0Bhbmd1bGFyL2Zvcm1zJztcblxuaW1wb3J0IHsgQ29uc3RhbnRzIH0gZnJvbSAnLi4vLi4vY29tbW9ucy9jb25zdGFudHMnO1xuaW1wb3J0IHsgQ2FzZUZpZWxkIH0gZnJvbSAnLi4vLi4vZG9tYWluL2RlZmluaXRpb24vY2FzZS1maWVsZC5tb2RlbCc7XG5pbXBvcnQgeyBGaWVsZFR5cGVFbnVtIH0gZnJvbSAnLi4vLi4vZG9tYWluL2RlZmluaXRpb24vZmllbGQtdHlwZS1lbnVtLm1vZGVsJztcblxuQEluamVjdGFibGUoKVxuZXhwb3J0IGNsYXNzIEZvcm1WYWxpZGF0b3JzU2VydmljZSB7XG4gIHByaXZhdGUgc3RhdGljIHJlYWRvbmx5IENVU1RPTV9WQUxJREFURURfVFlQRVM6IEZpZWxkVHlwZUVudW1bXSA9IFtcbiAgICAnRGF0ZScsICdNb25leUdCUCcsICdMYWJlbCcsICdKdWRpY2lhbFVzZXInXG4gIF07XG4gIHByaXZhdGUgc3RhdGljIHJlYWRvbmx5IERFRkFVTFRfSU5QVVRfVEVYVCA9ICd0ZXh0JztcbiAgcHJpdmF0ZSBzdGF0aWMgcmVhZG9ubHkgREVGQVVMVF9JTlBVVF9URVhUQVJFQSA9ICd0ZXh0QXJlYXMnO1xuXG4gIHB1YmxpYyBzdGF0aWMgYWRkVmFsaWRhdG9ycyhjYXNlRmllbGQ6IENhc2VGaWVsZCwgY29udHJvbDogQWJzdHJhY3RDb250cm9sKTogQWJzdHJhY3RDb250cm9sIHtcbiAgICBpZiAoXG4gICAgICBjYXNlRmllbGQuZGlzcGxheV9jb250ZXh0ID09PSBDb25zdGFudHMuTUFOREFUT1JZICYmXG4gICAgICBGb3JtVmFsaWRhdG9yc1NlcnZpY2UuQ1VTVE9NX1ZBTElEQVRFRF9UWVBFUy5pbmRleE9mKGNhc2VGaWVsZC5maWVsZF90eXBlLnR5cGUpID09PSAtMVxuICAgICkge1xuICAgICAgY29uc3QgdmFsaWRhdG9ycyA9IFtWYWxpZGF0b3JzLnJlcXVpcmVkXTtcbiAgICAgIGlmIChjYXNlRmllbGQuZmllbGRfdHlwZS50eXBlID09PSAnVGV4dCcpIHtcbiAgICAgICAgdmFsaWRhdG9ycy5wdXNoKHRoaXMubWFya0Rvd25QYXR0ZXJuVmFsaWRhdG9yKCkpO1xuICAgICAgICBpZiAoY2FzZUZpZWxkLmZpZWxkX3R5cGUucmVndWxhcl9leHByZXNzaW9uKSB7XG4gICAgICAgICAgdmFsaWRhdG9ycy5wdXNoKFZhbGlkYXRvcnMucGF0dGVybihjYXNlRmllbGQuZmllbGRfdHlwZS5yZWd1bGFyX2V4cHJlc3Npb24pKTtcbiAgICAgICAgfSBlbHNlIHtcbiAgICAgICAgICB2YWxpZGF0b3JzLnB1c2godGhpcy5lbXB0eVZhbGlkYXRvcigpKTtcbiAgICAgICAgfVxuICAgICAgICBpZiAoY2FzZUZpZWxkLmZpZWxkX3R5cGUubWluICYmICh0eXBlb2YgY2FzZUZpZWxkLmZpZWxkX3R5cGUubWluID09PSAnbnVtYmVyJykpIHtcbiAgICAgICAgICB2YWxpZGF0b3JzLnB1c2goVmFsaWRhdG9ycy5taW5MZW5ndGgoY2FzZUZpZWxkLmZpZWxkX3R5cGUubWluKSk7XG4gICAgICAgIH1cbiAgICAgICAgaWYgKGNhc2VGaWVsZC5maWVsZF90eXBlLm1heCAmJiAodHlwZW9mIGNhc2VGaWVsZC5maWVsZF90eXBlLm1heCA9PT0gJ251bWJlcicpKSB7XG4gICAgICAgICAgdmFsaWRhdG9ycy5wdXNoKFZhbGlkYXRvcnMubWF4TGVuZ3RoKGNhc2VGaWVsZC5maWVsZF90eXBlLm1heCkpO1xuICAgICAgICB9XG4gICAgICB9XG5cbiAgICAgIGlmIChjYXNlRmllbGQuZmllbGRfdHlwZS50eXBlID09PSAnVGV4dEFyZWEnKSB7XG4gICAgICAgIHZhbGlkYXRvcnMucHVzaCh0aGlzLmVtcHR5VmFsaWRhdG9yKCkpO1xuICAgICAgICB2YWxpZGF0b3JzLnB1c2godGhpcy5tYXJrRG93blBhdHRlcm5WYWxpZGF0b3IoKSk7XG4gICAgICB9XG5cbiAgICAgIGlmIChjb250cm9sLnZhbGlkYXRvcikge1xuICAgICAgICB2YWxpZGF0b3JzLnB1c2goY29udHJvbC52YWxpZGF0b3IpO1xuICAgICAgfVxuICAgICAgY29udHJvbC5zZXRWYWxpZGF0b3JzKHZhbGlkYXRvcnMpO1xuICAgIH0gZWxzZSBpZiAoY2FzZUZpZWxkLmRpc3BsYXlfY29udGV4dCA9PT0gJ09QVElPTkFMJyAmJiAoY2FzZUZpZWxkLmZpZWxkX3R5cGUudHlwZSA9PT0gJ1RleHQnIHx8IGNhc2VGaWVsZC5maWVsZF90eXBlLnR5cGUgPT09ICdUZXh0QXJlYScpXG4gICAgfHwgKGNhc2VGaWVsZC5kaXNwbGF5X2NvbnRleHQgPT09ICdDT01QTEVYJyAmJiBjYXNlRmllbGQuZmllbGRfdHlwZS50eXBlID09PSAnQ29tcGxleCcpKSB7XG4gICAgICBjb250cm9sLnNldFZhbGlkYXRvcnModGhpcy5tYXJrRG93blBhdHRlcm5WYWxpZGF0b3IoKSk7XG4gICAgfVxuXG4gICAgcmV0dXJuIGNvbnRyb2w7XG4gIH1cblxuICBwdWJsaWMgc3RhdGljIGVtcHR5VmFsaWRhdG9yKCk6IFZhbGlkYXRvckZuIHtcbiAgICBjb25zdCB2YWxpZGF0b3IgPSAoY29udHJvbDogQWJzdHJhY3RDb250cm9sKTpWYWxpZGF0aW9uRXJyb3JzIHwgbnVsbCA9PiB7XG4gICAgICBpZiAoY29udHJvbD8udmFsdWU/LnRvU3RyaW5nKCkudHJpbSgpLmxlbmd0aCA9PT0gMCkge1xuICAgICAgICByZXR1cm4geyByZXF1aXJlZDoge30gfTtcbiAgICAgIH1cbiAgICAgIHJldHVybiBudWxsO1xuICAgIH07XG4gICAgcmV0dXJuIHZhbGlkYXRvcjtcbiAgfVxuXG4gIHB1YmxpYyBzdGF0aWMgbWFya0Rvd25QYXR0ZXJuVmFsaWRhdG9yKCk6IFZhbGlkYXRvckZuIHtcbiAgICBjb25zdCBwYXR0ZXJuID0gLyhcXFtbXlxcXV17MCw1MDB9XFxdXFwoW14pXXswLDUwMH1cXCl8IVxcW1teXFxdXXswLDUwMH1cXF1cXChbXildezAsNTAwfVxcKXw8aW1nW14+XXswLDUwMH0+fDxhW14+XXswLDUwMH0+Lio/PFxcL2E+KS87XG5cbiAgICByZXR1cm4gKGNvbnRyb2w6IEFic3RyYWN0Q29udHJvbCk6IFZhbGlkYXRpb25FcnJvcnMgfCBudWxsID0+IHtcbiAgICAgIGNvbnN0IHZhbHVlID0gY29udHJvbD8udmFsdWU/LnRvU3RyaW5nKCkudHJpbSgpO1xuICAgICAgcmV0dXJuICh2YWx1ZSAmJiBwYXR0ZXJuLnRlc3QodmFsdWUpKSA/IHsgbWFya0Rvd25QYXR0ZXJuOiB7fSB9IDogbnVsbDtcbiAgICB9O1xuICB9XG5cbiAgLy8gVE9ETzogU3RyaXAgdGhpcyBvdXQgYXMgaXQncyBvbmx5IGhlcmUgZm9yIHRoZSBtb21lbnQgYmVjYXVzZVxuICAvLyB0aGUgc2VydmljZSBpcyBiZWluZyBpbmplY3RlZCBhbGwgb3ZlciB0aGUgcGxhY2UgYnV0IGl0IGRvZXNuJ3RcbiAgLy8gbmVlZCB0byBiZSBhcyBGb3JtVmFsaWRhdG9yc1NlcnZpY2UuYWRkVmFsaWRhdG9ycyBpcyBwZXJmZWN0bHlcbiAgLy8gaGFwcHkgYmVpbmcgc3RhdGljLlxuICBwdWJsaWMgYWRkVmFsaWRhdG9ycyhjYXNlRmllbGQ6IENhc2VGaWVsZCwgY29udHJvbDogQWJzdHJhY3RDb250cm9sKTogQWJzdHJhY3RDb250cm9sIHtcbiAgICByZXR1cm4gRm9ybVZhbGlkYXRvcnNTZXJ2aWNlLmFkZFZhbGlkYXRvcnMoY2FzZUZpZWxkLCBjb250cm9sKTtcbiAgfVxuXG4gIHB1YmxpYyBhZGRNYXJrRG93blZhbGlkYXRvcnMoZm9ybUdyb3VwOiBBYnN0cmFjdENvbnRyb2wsIGNvbnRyb2xQYXRoOiBzdHJpbmcpOiBBYnN0cmFjdENvbnRyb2wge1xuICAgIGNvbnN0IGNvbnRyb2wgPSBmb3JtR3JvdXAuZ2V0KGNvbnRyb2xQYXRoKTtcbiAgICBpZiAoY29udHJvbCkge1xuICAgICAgY29udHJvbC5zZXRWYWxpZGF0b3JzKEZvcm1WYWxpZGF0b3JzU2VydmljZS5tYXJrRG93blBhdHRlcm5WYWxpZGF0b3IoKSk7XG4gICAgICBjb250cm9sLnVwZGF0ZVZhbHVlQW5kVmFsaWRpdHkoKTtcbiAgICB9XG4gICAgcmV0dXJuIGNvbnRyb2w7XG4gIH1cbn1cbiJdfQ==
92
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZm9ybS12YWxpZGF0b3JzLnNlcnZpY2UuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi8uLi8uLi8uLi9wcm9qZWN0cy9jY2QtY2FzZS11aS10b29sa2l0L3NyYy9saWIvc2hhcmVkL3NlcnZpY2VzL2Zvcm0vZm9ybS12YWxpZGF0b3JzLnNlcnZpY2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLFVBQVUsRUFBRSxNQUFNLGVBQWUsQ0FBQztBQUMzQyxPQUFPLEVBQWtELFVBQVUsRUFBRSxNQUFNLGdCQUFnQixDQUFDO0FBRTVGLE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSx5QkFBeUIsQ0FBQzs7QUFLcEQsTUFBTSxPQUFPLHFCQUFxQjtJQUN4QixNQUFNLENBQVUsc0JBQXNCLEdBQW9CO1FBQ2hFLE1BQU0sRUFBRSxVQUFVLEVBQUUsT0FBTyxFQUFFLGNBQWM7S0FDNUMsQ0FBQztJQUVNLE1BQU0sQ0FBVSxrQkFBa0IsR0FBRyxNQUFNLENBQUM7SUFDNUMsTUFBTSxDQUFVLHNCQUFzQixHQUFHLFdBQVcsQ0FBQztJQUV0RCxNQUFNLENBQUMsYUFBYSxDQUFDLFNBQW9CLEVBQUUsT0FBd0I7UUFDeEUsSUFDRSxTQUFTLENBQUMsZUFBZSxLQUFLLFNBQVMsQ0FBQyxTQUFTO1lBQ2pELHFCQUFxQixDQUFDLHNCQUFzQixDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQyxFQUN0RixDQUFDO1lBQ0QsTUFBTSxVQUFVLEdBQUcsQ0FBQyxVQUFVLENBQUMsUUFBUSxDQUFDLENBQUM7WUFDekMsSUFBSSxTQUFTLENBQUMsVUFBVSxDQUFDLElBQUksS0FBSyxNQUFNLEVBQUUsQ0FBQztnQkFDekMsVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsd0JBQXdCLEVBQUUsQ0FBQyxDQUFDO2dCQUNqRCxJQUFJLFNBQVMsQ0FBQyxVQUFVLENBQUMsa0JBQWtCLEVBQUUsQ0FBQztvQkFDNUMsVUFBVSxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLFNBQVMsQ0FBQyxVQUFVLENBQUMsa0JBQWtCLENBQUMsQ0FBQyxDQUFDO2dCQUMvRSxDQUFDO3FCQUFNLENBQUM7b0JBQ04sVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUMsQ0FBQztnQkFDekMsQ0FBQztnQkFDRCxJQUFJLFNBQVMsQ0FBQyxVQUFVLENBQUMsR0FBRyxJQUFJLENBQUMsT0FBTyxTQUFTLENBQUMsVUFBVSxDQUFDLEdBQUcsS0FBSyxRQUFRLENBQUMsRUFBRSxDQUFDO29CQUMvRSxVQUFVLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxTQUFTLENBQUMsU0FBUyxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO2dCQUNsRSxDQUFDO2dCQUNELElBQUksU0FBUyxDQUFDLFVBQVUsQ0FBQyxHQUFHLElBQUksQ0FBQyxPQUFPLFNBQVMsQ0FBQyxVQUFVLENBQUMsR0FBRyxLQUFLLFFBQVEsQ0FBQyxFQUFFLENBQUM7b0JBQy9FLFVBQVUsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQyxTQUFTLENBQUMsVUFBVSxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUM7Z0JBQ2xFLENBQUM7WUFDSCxDQUFDO1lBRUQsSUFBSSxTQUFTLENBQUMsVUFBVSxDQUFDLElBQUksS0FBSyxVQUFVLEVBQUUsQ0FBQztnQkFDN0MsVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUMsQ0FBQztnQkFDdkMsVUFBVSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsd0JBQXdCLEVBQUUsQ0FBQyxDQUFDO1lBQ25ELENBQUM7WUFFRCxJQUFJLE9BQU8sQ0FBQyxTQUFTLEVBQUUsQ0FBQztnQkFDdEIsVUFBVSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsU0FBUyxDQUFDLENBQUM7WUFDckMsQ0FBQztZQUNELE9BQU8sQ0FBQyxhQUFhLENBQUMsVUFBVSxDQUFDLENBQUM7UUFDcEMsQ0FBQzthQUFNLElBQUksU0FBUyxDQUFDLGVBQWUsS0FBSyxVQUFVLElBQUksQ0FBQyxTQUFTLENBQUMsVUFBVSxDQUFDLElBQUksS0FBSyxNQUFNLElBQUksU0FBUyxDQUFDLFVBQVUsQ0FBQyxJQUFJLEtBQUssVUFBVSxDQUFDO2VBQ3RJLENBQUMsU0FBUyxDQUFDLGVBQWUsS0FBSyxTQUFTLElBQUksU0FBUyxDQUFDLFVBQVUsQ0FBQyxJQUFJLEtBQUssU0FBUyxDQUFDLEVBQUUsQ0FBQztZQUN4RixPQUFPLENBQUMsYUFBYSxDQUFDLElBQUksQ0FBQyx3QkFBd0IsRUFBRSxDQUFDLENBQUM7UUFDekQsQ0FBQztRQUVELE9BQU8sT0FBTyxDQUFDO0lBQ2pCLENBQUM7SUFFTSxNQUFNLENBQUMsY0FBYztRQUMxQixNQUFNLFNBQVMsR0FBRyxDQUFDLE9BQXdCLEVBQTBCLEVBQUU7WUFDckUsSUFBSSxPQUFPLEVBQUUsS0FBSyxFQUFFLFFBQVEsRUFBRSxDQUFDLElBQUksRUFBRSxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQztnQkFDbkQsT0FBTyxFQUFFLFFBQVEsRUFBRSxFQUFFLEVBQUUsQ0FBQztZQUMxQixDQUFDO1lBQ0QsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDLENBQUM7UUFDRixPQUFPLFNBQVMsQ0FBQztJQUNuQixDQUFDO0lBRU0sTUFBTSxDQUFDLHdCQUF3QjtRQUNwQyxNQUFNLFdBQVcsR0FBRyxpQkFBaUIsQ0FBQztRQUN0QyxNQUFNLE9BQU8sR0FBRyw4RkFBOEYsQ0FBQztRQUMvRyxNQUFNLGlCQUFpQixHQUFHLGNBQWMsQ0FBQztRQUN6QyxNQUFNLGFBQWEsR0FBRyx5Q0FBeUMsQ0FBQztRQUVoRSxPQUFPLENBQUMsT0FBd0IsRUFBMkIsRUFBRTtZQUMzRCxNQUFNLEtBQUssR0FBRyxPQUFPLEVBQUUsS0FBSyxFQUFFLFFBQVEsRUFBRSxDQUFDLElBQUksRUFBRSxDQUFDO1lBQ2hELElBQ0UsS0FBSztnQkFDTCxDQUNFLE9BQU8sQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDO29CQUNuQixXQUFXLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQztvQkFDdkIsaUJBQWlCLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQztvQkFDN0IsYUFBYSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FDMUIsRUFDRCxDQUFDO2dCQUNELE9BQU8sRUFBRSxlQUFlLEVBQUUsRUFBRSxFQUFFLENBQUM7WUFDakMsQ0FBQztZQUNELE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQyxDQUFDO0lBQ0osQ0FBQztJQUVELGdFQUFnRTtJQUNoRSxrRUFBa0U7SUFDbEUsaUVBQWlFO0lBQ2pFLHNCQUFzQjtJQUNmLGFBQWEsQ0FBQyxTQUFvQixFQUFFLE9BQXdCO1FBQ2pFLE9BQU8scUJBQXFCLENBQUMsYUFBYSxDQUFDLFNBQVMsRUFBRSxPQUFPLENBQUMsQ0FBQztJQUNqRSxDQUFDO0lBRU0scUJBQXFCLENBQUMsU0FBMEIsRUFBRSxXQUFtQjtRQUMxRSxNQUFNLE9BQU8sR0FBRyxTQUFTLENBQUMsR0FBRyxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQzNDLElBQUksT0FBTyxFQUFFLENBQUM7WUFDWixPQUFPLENBQUMsYUFBYSxDQUFDLHFCQUFxQixDQUFDLHdCQUF3QixFQUFFLENBQUMsQ0FBQztZQUN4RSxPQUFPLENBQUMsc0JBQXNCLEVBQUUsQ0FBQztRQUNuQyxDQUFDO1FBQ0QsT0FBTyxPQUFPLENBQUM7SUFDakIsQ0FBQzsrR0E5RlUscUJBQXFCO2dFQUFyQixxQkFBcUIsV0FBckIscUJBQXFCOztpRkFBckIscUJBQXFCO2NBRGpDLFVBQVUiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgeyBJbmplY3RhYmxlIH0gZnJvbSAnQGFuZ3VsYXIvY29yZSc7XG5pbXBvcnQgeyBBYnN0cmFjdENvbnRyb2wsIFZhbGlkYXRpb25FcnJvcnMsIFZhbGlkYXRvckZuLCBWYWxpZGF0b3JzIH0gZnJvbSAnQGFuZ3VsYXIvZm9ybXMnO1xuXG5pbXBvcnQgeyBDb25zdGFudHMgfSBmcm9tICcuLi8uLi9jb21tb25zL2NvbnN0YW50cyc7XG5pbXBvcnQgeyBDYXNlRmllbGQgfSBmcm9tICcuLi8uLi9kb21haW4vZGVmaW5pdGlvbi9jYXNlLWZpZWxkLm1vZGVsJztcbmltcG9ydCB7IEZpZWxkVHlwZUVudW0gfSBmcm9tICcuLi8uLi9kb21haW4vZGVmaW5pdGlvbi9maWVsZC10eXBlLWVudW0ubW9kZWwnO1xuXG5ASW5qZWN0YWJsZSgpXG5leHBvcnQgY2xhc3MgRm9ybVZhbGlkYXRvcnNTZXJ2aWNlIHtcbiAgcHJpdmF0ZSBzdGF0aWMgcmVhZG9ubHkgQ1VTVE9NX1ZBTElEQVRFRF9UWVBFUzogRmllbGRUeXBlRW51bVtdID0gW1xuICAgICdEYXRlJywgJ01vbmV5R0JQJywgJ0xhYmVsJywgJ0p1ZGljaWFsVXNlcidcbiAgXTtcblxuICBwcml2YXRlIHN0YXRpYyByZWFkb25seSBERUZBVUxUX0lOUFVUX1RFWFQgPSAndGV4dCc7XG4gIHByaXZhdGUgc3RhdGljIHJlYWRvbmx5IERFRkFVTFRfSU5QVVRfVEVYVEFSRUEgPSAndGV4dEFyZWFzJztcblxuICBwdWJsaWMgc3RhdGljIGFkZFZhbGlkYXRvcnMoY2FzZUZpZWxkOiBDYXNlRmllbGQsIGNvbnRyb2w6IEFic3RyYWN0Q29udHJvbCk6IEFic3RyYWN0Q29udHJvbCB7XG4gICAgaWYgKFxuICAgICAgY2FzZUZpZWxkLmRpc3BsYXlfY29udGV4dCA9PT0gQ29uc3RhbnRzLk1BTkRBVE9SWSAmJlxuICAgICAgRm9ybVZhbGlkYXRvcnNTZXJ2aWNlLkNVU1RPTV9WQUxJREFURURfVFlQRVMuaW5kZXhPZihjYXNlRmllbGQuZmllbGRfdHlwZS50eXBlKSA9PT0gLTFcbiAgICApIHtcbiAgICAgIGNvbnN0IHZhbGlkYXRvcnMgPSBbVmFsaWRhdG9ycy5yZXF1aXJlZF07XG4gICAgICBpZiAoY2FzZUZpZWxkLmZpZWxkX3R5cGUudHlwZSA9PT0gJ1RleHQnKSB7XG4gICAgICAgIHZhbGlkYXRvcnMucHVzaCh0aGlzLm1hcmtEb3duUGF0dGVyblZhbGlkYXRvcigpKTtcbiAgICAgICAgaWYgKGNhc2VGaWVsZC5maWVsZF90eXBlLnJlZ3VsYXJfZXhwcmVzc2lvbikge1xuICAgICAgICAgIHZhbGlkYXRvcnMucHVzaChWYWxpZGF0b3JzLnBhdHRlcm4oY2FzZUZpZWxkLmZpZWxkX3R5cGUucmVndWxhcl9leHByZXNzaW9uKSk7XG4gICAgICAgIH0gZWxzZSB7XG4gICAgICAgICAgdmFsaWRhdG9ycy5wdXNoKHRoaXMuZW1wdHlWYWxpZGF0b3IoKSk7XG4gICAgICAgIH1cbiAgICAgICAgaWYgKGNhc2VGaWVsZC5maWVsZF90eXBlLm1pbiAmJiAodHlwZW9mIGNhc2VGaWVsZC5maWVsZF90eXBlLm1pbiA9PT0gJ251bWJlcicpKSB7XG4gICAgICAgICAgdmFsaWRhdG9ycy5wdXNoKFZhbGlkYXRvcnMubWluTGVuZ3RoKGNhc2VGaWVsZC5maWVsZF90eXBlLm1pbikpO1xuICAgICAgICB9XG4gICAgICAgIGlmIChjYXNlRmllbGQuZmllbGRfdHlwZS5tYXggJiYgKHR5cGVvZiBjYXNlRmllbGQuZmllbGRfdHlwZS5tYXggPT09ICdudW1iZXInKSkge1xuICAgICAgICAgIHZhbGlkYXRvcnMucHVzaChWYWxpZGF0b3JzLm1heExlbmd0aChjYXNlRmllbGQuZmllbGRfdHlwZS5tYXgpKTtcbiAgICAgICAgfVxuICAgICAgfVxuXG4gICAgICBpZiAoY2FzZUZpZWxkLmZpZWxkX3R5cGUudHlwZSA9PT0gJ1RleHRBcmVhJykge1xuICAgICAgICB2YWxpZGF0b3JzLnB1c2godGhpcy5lbXB0eVZhbGlkYXRvcigpKTtcbiAgICAgICAgdmFsaWRhdG9ycy5wdXNoKHRoaXMubWFya0Rvd25QYXR0ZXJuVmFsaWRhdG9yKCkpO1xuICAgICAgfVxuXG4gICAgICBpZiAoY29udHJvbC52YWxpZGF0b3IpIHtcbiAgICAgICAgdmFsaWRhdG9ycy5wdXNoKGNvbnRyb2wudmFsaWRhdG9yKTtcbiAgICAgIH1cbiAgICAgIGNvbnRyb2wuc2V0VmFsaWRhdG9ycyh2YWxpZGF0b3JzKTtcbiAgICB9IGVsc2UgaWYgKGNhc2VGaWVsZC5kaXNwbGF5X2NvbnRleHQgPT09ICdPUFRJT05BTCcgJiYgKGNhc2VGaWVsZC5maWVsZF90eXBlLnR5cGUgPT09ICdUZXh0JyB8fCBjYXNlRmllbGQuZmllbGRfdHlwZS50eXBlID09PSAnVGV4dEFyZWEnKVxuICAgIHx8IChjYXNlRmllbGQuZGlzcGxheV9jb250ZXh0ID09PSAnQ09NUExFWCcgJiYgY2FzZUZpZWxkLmZpZWxkX3R5cGUudHlwZSA9PT0gJ0NvbXBsZXgnKSkge1xuICAgICAgY29udHJvbC5zZXRWYWxpZGF0b3JzKHRoaXMubWFya0Rvd25QYXR0ZXJuVmFsaWRhdG9yKCkpO1xuICAgIH1cblxuICAgIHJldHVybiBjb250cm9sO1xuICB9XG5cbiAgcHVibGljIHN0YXRpYyBlbXB0eVZhbGlkYXRvcigpOiBWYWxpZGF0b3JGbiB7XG4gICAgY29uc3QgdmFsaWRhdG9yID0gKGNvbnRyb2w6IEFic3RyYWN0Q29udHJvbCk6VmFsaWRhdGlvbkVycm9ycyB8IG51bGwgPT4ge1xuICAgICAgaWYgKGNvbnRyb2w/LnZhbHVlPy50b1N0cmluZygpLnRyaW0oKS5sZW5ndGggPT09IDApIHtcbiAgICAgICAgcmV0dXJuIHsgcmVxdWlyZWQ6IHt9IH07XG4gICAgICB9XG4gICAgICByZXR1cm4gbnVsbDtcbiAgICB9O1xuICAgIHJldHVybiB2YWxpZGF0b3I7XG4gIH1cblxuICBwdWJsaWMgc3RhdGljIG1hcmtEb3duUGF0dGVyblZhbGlkYXRvcigpOiBWYWxpZGF0b3JGbiB7XG4gICAgY29uc3QgYVRhZ1BhdHRlcm4gPSAvPGFcXGJbXj5dKig+fCQpL2k7XG4gICAgY29uc3QgcGF0dGVybiA9IC8oXFxbW15cXF1dezAsNTAwfVxcXVxcKFteKV17MCw1MDB9XFwpfCFcXFtbXlxcXV17MCw1MDB9XFxdXFwoW14pXXswLDUwMH1cXCl8PGltZ1xcYltePl17MCw1MDB9KD86PnwkKSkvaTtcbiAgICBjb25zdCBoYXNEYW5nZXJvdXNBdHRycyA9IC9cXGJvblxcdytcXHMqPS9pO1xuICAgIGNvbnN0IGhhc0pzUHJvdG9jb2wgPSAvKD86c3JjfGhyZWYpXFxzKj1cXHMqW1wiJ10/XFxzKmphdmFzY3JpcHQ6L2k7XG5cbiAgICByZXR1cm4gKGNvbnRyb2w6IEFic3RyYWN0Q29udHJvbCk6IFZhbGlkYXRpb25FcnJvcnMgfCBudWxsID0+IHtcbiAgICAgIGNvbnN0IHZhbHVlID0gY29udHJvbD8udmFsdWU/LnRvU3RyaW5nKCkudHJpbSgpO1xuICAgICAgaWYgKFxuICAgICAgICB2YWx1ZSAmJlxuICAgICAgICAoXG4gICAgICAgICAgcGF0dGVybi50ZXN0KHZhbHVlKSB8fFxuICAgICAgICAgIGFUYWdQYXR0ZXJuLnRlc3QodmFsdWUpIHx8XG4gICAgICAgICAgaGFzRGFuZ2Vyb3VzQXR0cnMudGVzdCh2YWx1ZSkgfHxcbiAgICAgICAgICBoYXNKc1Byb3RvY29sLnRlc3QodmFsdWUpXG4gICAgICAgIClcbiAgICAgICkge1xuICAgICAgICByZXR1cm4geyBtYXJrRG93blBhdHRlcm46IHt9IH07XG4gICAgICB9XG4gICAgICByZXR1cm4gbnVsbDtcbiAgICB9O1xuICB9XG5cbiAgLy8gVE9ETzogU3RyaXAgdGhpcyBvdXQgYXMgaXQncyBvbmx5IGhlcmUgZm9yIHRoZSBtb21lbnQgYmVjYXVzZVxuICAvLyB0aGUgc2VydmljZSBpcyBiZWluZyBpbmplY3RlZCBhbGwgb3ZlciB0aGUgcGxhY2UgYnV0IGl0IGRvZXNuJ3RcbiAgLy8gbmVlZCB0byBiZSBhcyBGb3JtVmFsaWRhdG9yc1NlcnZpY2UuYWRkVmFsaWRhdG9ycyBpcyBwZXJmZWN0bHlcbiAgLy8gaGFwcHkgYmVpbmcgc3RhdGljLlxuICBwdWJsaWMgYWRkVmFsaWRhdG9ycyhjYXNlRmllbGQ6IENhc2VGaWVsZCwgY29udHJvbDogQWJzdHJhY3RDb250cm9sKTogQWJzdHJhY3RDb250cm9sIHtcbiAgICByZXR1cm4gRm9ybVZhbGlkYXRvcnNTZXJ2aWNlLmFkZFZhbGlkYXRvcnMoY2FzZUZpZWxkLCBjb250cm9sKTtcbiAgfVxuXG4gIHB1YmxpYyBhZGRNYXJrRG93blZhbGlkYXRvcnMoZm9ybUdyb3VwOiBBYnN0cmFjdENvbnRyb2wsIGNvbnRyb2xQYXRoOiBzdHJpbmcpOiBBYnN0cmFjdENvbnRyb2wge1xuICAgIGNvbnN0IGNvbnRyb2wgPSBmb3JtR3JvdXAuZ2V0KGNvbnRyb2xQYXRoKTtcbiAgICBpZiAoY29udHJvbCkge1xuICAgICAgY29udHJvbC5zZXRWYWxpZGF0b3JzKEZvcm1WYWxpZGF0b3JzU2VydmljZS5tYXJrRG93blBhdHRlcm5WYWxpZGF0b3IoKSk7XG4gICAgICBjb250cm9sLnVwZGF0ZVZhbHVlQW5kVmFsaWRpdHkoKTtcbiAgICB9XG4gICAgcmV0dXJuIGNvbnRyb2w7XG4gIH1cbn1cbiJdfQ==
package/fesm2022/hmcts-ccd-case-ui-toolkit.mjs CHANGED
@@ -5075,10 +5075,20 @@ class FormValidatorsService {
5075
5075
  return validator;
5076
5076
  }
5077
5077
  static markDownPatternValidator() {
5078
- const pattern = /(\[[^\]]{0,500}\]\([^)]{0,500}\)|!\[[^\]]{0,500}\]\([^)]{0,500}\)|<img[^>]{0,500}>|<a[^>]{0,500}>.*?<\/a>)/;
5078
+ const aTagPattern = /<a\b[^>]*(>|$)/i;
5079
+ const pattern = /(\[[^\]]{0,500}\]\([^)]{0,500}\)|!\[[^\]]{0,500}\]\([^)]{0,500}\)|<img\b[^>]{0,500}(?:>|$))/i;
5080
+ const hasDangerousAttrs = /\bon\w+\s*=/i;
5081
+ const hasJsProtocol = /(?:src|href)\s*=\s*["']?\s*javascript:/i;
5079
5082
  return (control) => {
5080
5083
  const value = control?.value?.toString().trim();
5081
- return (value && pattern.test(value)) ? { markDownPattern: {} } : null;
5084
+ if (value &&
5085
+ (pattern.test(value) ||
5086
+ aTagPattern.test(value) ||
5087
+ hasDangerousAttrs.test(value) ||
5088
+ hasJsProtocol.test(value))) {
5089
+ return { markDownPattern: {} };
5090
+ }
5091
+ return null;
5082
5092
  };
5083
5093
  }
5084
5094
  // TODO: Strip this out as it's only here for the moment because