From 87a90afd4600049b184b32f8f92a0634e25890c0 Mon Sep 17 00:00:00 2001
From: Alan Agius <alanagius@google.com>
Date: Fri, 27 Sep 2024 13:24:00 +0000
Subject: [PATCH] fix(@angular/build): incomplete string escaping or encoding

See: https://github.com/angular/angular-cli/security/code-scanning/76
---
 .../src/utils/server-rendering/manifest.ts    | 20 ++++---------------
 1 file changed, 4 insertions(+), 16 deletions(-)

diff --git a/packages/angular/build/src/utils/server-rendering/manifest.ts b/packages/angular/build/src/utils/server-rendering/manifest.ts
index a04285c1eadf..a23faa69a7fd 100644
--- a/packages/angular/build/src/utils/server-rendering/manifest.ts
+++ b/packages/angular/build/src/utils/server-rendering/manifest.ts
@@ -24,18 +24,8 @@ const MAIN_SERVER_OUTPUT_FILENAME = 'main.server.mjs';
  * A mapping of unsafe characters to their escaped Unicode equivalents.
  */
 const UNSAFE_CHAR_MAP: Record<string, string> = {
-  '<': '\\u003C',
-  '>': '\\u003E',
-  '/': '\\u002F',
-  '\\': '\\\\',
-  '\b': '\\b',
-  '\f': '\\f',
-  '\n': '\\n',
-  '\r': '\\r',
-  '\t': '\\t',
-  '\0': '\\0',
-  '\u2028': '\\u2028',
-  '\u2029': '\\u2029',
+  '`': '\\`',
+  '$': '\\$',
 };
 
 /**
@@ -46,7 +36,7 @@ const UNSAFE_CHAR_MAP: Record<string, string> = {
  * @returns The escaped string where unsafe characters are replaced.
  */
 function escapeUnsafeChars(str: string): string {
-  return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, (c) => UNSAFE_CHAR_MAP[c]);
+  return str.replace(/[$`]/g, (c) => UNSAFE_CHAR_MAP[c]);
 }
 
 /**
@@ -149,9 +139,7 @@ export function generateAngularServerAppManifest(
       file.path === INDEX_HTML_CSR ||
       (inlineCriticalCss && file.path.endsWith('.css'))
     ) {
-      serverAssetsContent.push(
-        `['${file.path}', async () => ${escapeUnsafeChars(JSON.stringify(file.text))}]`,
-      );
+      serverAssetsContent.push(`['${file.path}', async () => \`${escapeUnsafeChars(file.text)}\`]`);
     }
   }