Merge remote-tracking branch 'origin/v3.5'

src/app/gui/modal/modal.component.html

@@ -1,8 +1,8 @@
 <h4 mat-dialog-title [innerHtml]="data.title | safeHtml"></h4>
 <mat-dialog-content [innerHTML]="data.body | safeHtml"></mat-dialog-content>
 <mat-dialog-actions>
-  <button *ngIf="data.type==0" mat-raised-button mat-dialog-close (click)="close()"> <uds-translate>Close</uds-translate>{{ extra }}</button>
-  <button *ngIf="data.type==1" mat-raised-button mat-dialog-close (click)="yes()"><uds-translate>Yes</uds-translate></button>
-  <button *ngIf="data.type==1" mat-raised-button mat-dialog-close (click)="no()"><uds-translate>No</uds-translate></button>
+  <button *ngIf="data.type===0" mat-raised-button mat-dialog-close (click)="close()"> <uds-translate>Close</uds-translate>{{ extra }}</button>
+  <button *ngIf="data.type===1" mat-raised-button mat-dialog-close (click)="yes()"><uds-translate>Yes</uds-translate></button>
+  <button *ngIf="data.type===1" mat-raised-button mat-dialog-close (click)="no()"><uds-translate>No</uds-translate></button>
 
 </mat-dialog-actions>

src/app/gui/safe-html.pipe.ts

@@ -8,6 +8,14 @@ export class SafeHtmlPipe implements PipeTransform {
   constructor(private sanitizer: DomSanitizer) {}
 
   transform(value: any, args?: any): any {
+    // Allow html, disallow scripts, onclick, etc.
+    value = value.replace(/<\s*script\s*/gi, '');
+    // Remove if exists any javascript event
+    // eslint-disable-next-line max-len
+    value = value.replace(/onclick|onmouseover|onmouseout|onmousemove|onmouseenter|onmouseleave|onmouseup|onmousedown|onkeyup|onkeydown|onkeypress|onkeydown|onkeypress|onkeyup|onchange|onfocus|onblur|onload|onunload|onabort|onerror|onresize|onscroll/gi, '');
+    // Remove if exists any javascript:
+    value = value.replace(/javascript\s*\:/gi, '');
+
     return this.sanitizer.bypassSecurityTrustHtml(value);
   }