fix: escaping for link titles in LinksService (#11632)
Fix Sanitize link titles using escapeHtml to prevent arbitary code
Injection. must not send user-controlled content directly into an HTML
(or script) context without escaping appropriate for that context. For
this case, the simplest safe fix that preserves existing observable
behavior (a human-readable string) is to HTML-escape the user-provided
field(s) before interpolation. That way, any `<`, `>`, `"`, `'`, `&`,
etc., in `createLinkDto.title` cannot break out into executable markup
or script when rendered by a client.
The single best minimal change here is to update `LinksService.create`
(and, for consistency, `update`) to escape the interpolated `title`
using a well-known escaping library such as `escape-html`. We only touch
`/with-nestjs/apps/api/src/links/links.service.ts`. Concretely:
- Add an import for `escape-html` at the top of `links.service.ts`.
- When interpolating `createLinkDto.title` in `create`, wrap it as
`escapeHtml(createLinkDto.title ?? '')`.
- Similarly, when interpolating `updateLinkDto.title` in `update`, wrap
it as `escapeHtml(updateLinkDto.title ?? '')`.
We use the nullish coalescing operator to avoid passing `undefined` to
the escape function, preserving the existing behavior while making the
response safe to render in HTML.
