Skip to content

Migrate(edit Content): Portlet UI to primeng angular 21 V2 #34433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rjvelazco wants to merge 25 commits into
base: issue-33882-primeng-update
Choose a base branch
from
Open

Migrate(edit Content): Portlet UI to primeng angular 21 V2 #34433

rjvelazco wants to merge 25 commits into from

Conversation

@rjvelazco
Copy link
Contributor

@rjvelazco rjvelazco commented Jan 28, 2026
edited by github-actions bot
Loading

This PR fixes: #34414

@github-actions github-actions bot mentioned this pull request Jan 28, 2026
Open
3 tasks
semgrep-code-dotcms-test[bot]
semgrep-code-dotcms-test bot reviewed Jan 28, 2026
View reviewed changes
...it-content/src/lib/fields/dot-edit-content-text-area/dot-edit-content-text-area.component.ts
Comment on lines 48 to 70
@@ -63,6 +62,9 @@ import {
DotMessagePipe
],
changeDetection: ChangeDetectionStrategy.OnPush,
host: {
class: 'block h-fit'
},
viewProviders: [
{
provide: ControlContainer,
Copy link

@semgrep-code-dotcms-test semgrep-code-dotcms-test bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity and reachable issue identified in your code:
Line 48 has a vulnerable usage of @angular/compiler, introducing a high severity vulnerability.

ℹ️ Why this is reachable

A reachable issue is a real security risk because your project actually executes the vulnerable code. This issue is reachable because your code uses a certain version of @angular/compiler.
Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 21.0.7 at core-web/package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

You can view more details on this finding in the Semgrep AppSec Platform here.

semgrep-code-dotcms-test[bot]
semgrep-code-dotcms-test bot reviewed Jan 28, 2026
View reviewed changes
...ar/components/dot-edit-content-sidebar-locales/dot-edit-content-sidebar-locales.component.ts
Comment on lines 31 to 36
@Component({
selector: 'dot-edit-content-sidebar-locales',
imports: [ChipModule, SkeletonModule, DotIsoCodePipe],
imports: [ButtonModule, OverlayBadgeModule, SkeletonModule, DotIsoCodePipe],
templateUrl: './dot-edit-content-sidebar-locales.component.html',
styleUrl: './dot-edit-content-sidebar-locales.component.scss',
changeDetection: ChangeDetectionStrategy.OnPush
Copy link

@semgrep-code-dotcms-test semgrep-code-dotcms-test bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity and reachable issue identified in your code:
Line 31 has a vulnerable usage of @angular/compiler, introducing a high severity vulnerability.

ℹ️ Why this is reachable

A reachable issue is a real security risk because your project actually executes the vulnerable code. This issue is reachable because your code uses a certain version of @angular/compiler.
Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 21.0.7 at core-web/package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

You can view more details on this finding in the Semgrep AppSec Platform here.

@semgrep-code-dotcms-test
Copy link

semgrep-code-dotcms-test bot commented Jan 28, 2026

Legal Risk

The following dependencies were released under a license that
has been flagged by your organization for consideration.

Recommendation

While merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue.

GPL-2.0

MPL-2.0

@semgrep-code-dotcms-test
Copy link

semgrep-code-dotcms-test bot commented Jan 28, 2026

Semgrep found 2 ssc-4fd3a3fc-acff-4277-9d88-60469f5a4fa5 findings:

  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-relationship-field/components/dot-relationship-field/dot-relationship-field.component.ts
  • core-web/libs/edit-content/src/lib/components/dot-edit-content-layout/dot-edit-content.layout.component.ts

Risk: Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

Fix: Upgrade this library to at least version 21.0.7 at core/core-web/package-lock.json:5082.

Reference(s): GHSA-jrmj-c5cx-3cw6, CVE-2026-22610

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

semgrep-code-dotcms-test[bot]
semgrep-code-dotcms-test bot reviewed Jan 29, 2026
View reviewed changes
...rc/lib/components/dot-language-variable-selector/dot-language-variable-selector.component.ts
Comment on lines 58 to 73
@Component({
selector: 'dot-language-variable-selector',
imports: [AutoCompleteModule, FormsModule, DotMessagePipe, DotHighlightPipe],
imports: [
AutoCompleteModule,
FormsModule,
DotMessagePipe,
DotHighlightPipe,
IconFieldModule,
InputIconModule
],
templateUrl: './dot-language-variable-selector.component.html',
styleUrl: './dot-language-variable-selector.component.scss',
changeDetection: ChangeDetectionStrategy.OnPush
changeDetection: ChangeDetectionStrategy.OnPush,
host: {
class: 'block w-[256px]'
}
})
Copy link

@semgrep-code-dotcms-test semgrep-code-dotcms-test bot Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity and reachable issue identified in your code:
Line 58 has a vulnerable usage of @angular/compiler, introducing a high severity vulnerability.

ℹ️ Why this is reachable

A reachable issue is a real security risk because your project actually executes the vulnerable code. This issue is reachable because your code uses a certain version of @angular/compiler.
Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 21.0.7 at core-web/package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

You can view more details on this finding in the Semgrep AppSec Platform here.

semgrep-code-dotcms-test[bot]
semgrep-code-dotcms-test bot reviewed Jan 29, 2026
View reviewed changes
.../lib/fields/dot-card-field/components/dot-card-field-label/dot-card-field-label.component.ts
Comment on lines 19 to 24
@Component({
selector: 'dot-card-field-label',
imports: [TooltipModule],
styleUrl: './dot-card-field-label.component.scss',
templateUrl: './dot-card-field-label.component.html',
changeDetection: ChangeDetectionStrategy.OnPush
})
Copy link

@semgrep-code-dotcms-test semgrep-code-dotcms-test bot Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity and reachable issue identified in your code:
Line 19 has a vulnerable usage of @angular/compiler, introducing a high severity vulnerability.

ℹ️ Why this is reachable

A reachable issue is a real security risk because your project actually executes the vulnerable code. This issue is reachable because your code uses a certain version of @angular/compiler.
Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 21.0.7 at core-web/package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

You can view more details on this finding in the Semgrep AppSec Platform here.

@semgrep-code-dotcms-test
Copy link

semgrep-code-dotcms-test bot commented Jan 29, 2026

Semgrep found 3 ssc-4fd3a3fc-acff-4277-9d88-60469f5a4fa5 findings:

  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-json-field/dot-edit-content-json-field.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-file-field/dot-edit-content-file-field.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-calendar-field/components/calendar-field/calendar-field.component.ts

Risk: Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

Fix: Upgrade this library to at least version 21.0.7 at core/core-web/package-lock.json:5082.

Reference(s): GHSA-jrmj-c5cx-3cw6, CVE-2026-22610

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

@rjvelazco rjvelazco linked an issue Jan 30, 2026 that may be closed by this pull request
[TASK] Migrate 'Edit Content' portlet UI to PrimeNG (Angular 21) #34414
Open
3 tasks
@semgrep-code-dotcms-test
Copy link

semgrep-code-dotcms-test bot commented Jan 30, 2026

Semgrep found 3 ssc-4fd3a3fc-acff-4277-9d88-60469f5a4fa5 findings:

  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-wysiwyg-field/dot-edit-content-wysiwyg-field.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-wysiwyg-field/components/dot-wysiwyg-tinymce/dot-wysiwyg-tinymce.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-tag-field/dot-edit-content-tag-field.component.ts

Risk: Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

Fix: Upgrade this library to at least version 21.0.7 at core/core-web/package-lock.json:5082.

Reference(s): GHSA-jrmj-c5cx-3cw6, CVE-2026-22610

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

@semgrep-code-dotcms-test
Copy link

semgrep-code-dotcms-test bot commented Jan 30, 2026

Semgrep found 3 ssc-4fd3a3fc-acff-4277-9d88-60469f5a4fa5 findings:

  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-relationship-field/dot-edit-content-relationship-field.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-relationship-field/components/dot-select-existing-content/dot-select-existing-content.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-relationship-field/components/dot-select-existing-content/components/header/header.component.ts

Risk: Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

Fix: Upgrade this library to at least version 21.0.7 at core/core-web/package-lock.json:5082.

Reference(s): GHSA-jrmj-c5cx-3cw6, CVE-2026-22610

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

@semgrep-code-dotcms-test
Copy link

semgrep-code-dotcms-test bot commented Jan 30, 2026

Semgrep found 2 ssc-4fd3a3fc-acff-4277-9d88-60469f5a4fa5 findings:

  • core-web/libs/edit-content/src/lib/components/dot-edit-content-sidebar/components/dot-edit-content-sidebar-history/dot-edit-content-sidebar-history.component.ts
  • core-web/libs/edit-content/src/lib/components/dot-edit-content-sidebar/components/dot-edit-content-sidebar-history/components/dot-history-timeline-item/dot-history-timeline-item.component.ts

Risk: Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

Fix: Upgrade this library to at least version 21.0.7 at core/core-web/package-lock.json:5082.

Reference(s): GHSA-jrmj-c5cx-3cw6, CVE-2026-22610

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

@semgrep-code-dotcms-test
Copy link

semgrep-code-dotcms-test bot commented Feb 2, 2026

Semgrep found 5 ssc-4fd3a3fc-acff-4277-9d88-60469f5a4fa5 findings:

  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-category-field/components/dot-category-field/dot-category-field.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-category-field/components/dot-category-field-selected/dot-category-field-selected.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-category-field/components/dot-category-field-search/dot-category-field-search.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-category-field/components/dot-category-field-dialog/dot-category-field-dialog.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-category-field/components/dot-category-field-category-list/dot-category-field-category-list.component.ts

Risk: Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

Fix: Upgrade this library to at least version 21.0.7 at core/core-web/package-lock.json:5082.

Reference(s): GHSA-jrmj-c5cx-3cw6, CVE-2026-22610

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

@semgrep-code-dotcms-test
Copy link

semgrep-code-dotcms-test bot commented Feb 2, 2026

Semgrep found 1 ssc-4fd3a3fc-acff-4277-9d88-60469f5a4fa5 finding:

  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-category-field/components/dot-category-field-search-list/dot-category-field-search-list.component.ts

Risk: Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

Fix: Upgrade this library to at least version 21.0.7 at core/core-web/package-lock.json:5082.

Reference(s): GHSA-jrmj-c5cx-3cw6, CVE-2026-22610

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

semgrep-code-dotcms-test[bot]
semgrep-code-dotcms-test bot reviewed Feb 2, 2026
View reviewed changes
...ibs/edit-content/src/lib/components/dot-edit-content-form/dot-edit-content-form.component.ts
Comment on lines 88 to 117
@@ -110,7 +110,10 @@ import { DotEditContentFieldComponent } from '../dot-edit-content-field/dot-edit
animate('250ms ease-in', style({ opacity: 1 }))
])
])
]
],
host: {
class: 'min-w-0 max-w-full overflow-auto overflow-x-hidden'
},
})
Copy link

@semgrep-code-dotcms-test semgrep-code-dotcms-test bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity and reachable issue identified in your code:
Line 88 has a vulnerable usage of @angular/compiler, introducing a high severity vulnerability.

ℹ️ Why this is reachable

A reachable issue is a real security risk because your project actually executes the vulnerable code. This issue is reachable because your code uses a certain version of @angular/compiler.
Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 21.0.7 at core-web/package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

You can view more details on this finding in the Semgrep AppSec Platform here.

@semgrep-code-dotcms-test
Copy link

semgrep-code-dotcms-test bot commented Feb 2, 2026

Semgrep found 6 ssc-4fd3a3fc-acff-4277-9d88-60469f5a4fa5 findings:

  • core-web/libs/ui/src/lib/components/dot-temp-file-thumbnail/dot-temp-file-thumbnail.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-binary-field/dot-edit-content-binary-field.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-binary-field/components/dot-binary-field-url-mode/dot-binary-field-url-mode.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-binary-field/components/dot-binary-field-ui-message/dot-binary-field-ui-message.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-binary-field/components/dot-binary-field-preview/dot-binary-field-preview.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-binary-field/components/dot-binary-field-editor/dot-binary-field-editor.component.ts

Risk: Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

Fix: Upgrade this library to at least version 21.0.7 at core/core-web/package-lock.json:5082.

Reference(s): GHSA-jrmj-c5cx-3cw6, CVE-2026-22610

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

@rjvelazco
fix(edit-content): Correct formatting in DotEditContentFormComponent …
d69e6be 
…for improved code consistency
@rjvelazco
Merge branch 'issue-34414-task-migrate-edit-cotnent-portlet-ui-to-pri…
eda7f57 
…meng-angular-21-v2' of https://github.com/dotCMS/core into issue-34414-task-migrate-edit-cotnent-portlet-ui-to-primeng-angular-21-v2
@semgrep-code-dotcms-test
Copy link

semgrep-code-dotcms-test bot commented Feb 2, 2026

Semgrep found 3 ssc-4fd3a3fc-acff-4277-9d88-60469f5a4fa5 findings:

  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-file-field/components/dot-form-import-url/dot-form-import-url.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-edit-content-file-field/components/dot-form-file-editor/dot-form-file-editor.component.ts
  • core-web/libs/edit-content/src/lib/fields/dot-card-field/dot-card-field.component.ts

Risk: Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

Fix: Upgrade this library to at least version 21.0.7 at core/core-web/package-lock.json:5082.

Reference(s): GHSA-jrmj-c5cx-3cw6, CVE-2026-22610

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@semgrep-code-dotcms-test semgrep-code-dotcms-test[bot] semgrep-code-dotcms-test[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

dotCMS - Product Planning
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[TASK] Migrate 'Edit Content' portlet UI to PrimeNG (Angular 21)

3 participants

@rjvelazco @adrianjm-dotCMS