chore(migration): Migration to self-closing tags

[nicobytes]

Proposed Changes

This pull request primarily updates Angular template files across several apps to use self-closing tags for standalone components and elements, improving code consistency and readability. There are no functional or logic changes—these are purely syntactic updates to align with Angular best practices for self-closing components.

The most important changes are:

Template Syntax Consistency:

• Changed all applicable component tags in HTML templates (such as p-dropdown, p-skeleton, dot-icon, dot-spinner, p-chart, ng-container, p-avatar, dot-copy-link, p-button, p-menu, p-tableHeaderCheckbox, and p-sortIcon) to use self-closing syntax across the dotcdn, dotcms-block-editor, and dotcms-ui apps. This makes the codebase more consistent and easier to maintain. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22]

No business logic, UI, or behavioral changes are introduced—this is a purely structural and stylistic update.

Checklist

• Tests
• Translations
• Security Implications Contemplated (add notes if applicable)

This PR fixes: #34062

This PR fixes: #34062

[semgrep-code-dotcms-test]

Semgrep found 23 ssc-1401e86e-5347-4e09-9335-667e8dfa5deb findings:

• core-web/libs/ui/src/lib/components/dot-sidebar-accordion/components/dot-sidebar-accordion-tab/dot-sidebar-accordion-tab.component.ts
  • L28-47 - Triage
• core-web/libs/sdk/angular/src/lib/components/dotcms-block-editor-renderer/blocks/table.component.ts
  • L7-46 - Triage
• core-web/libs/sdk/angular/src/lib/components/dotcms-block-editor-renderer/blocks/dot-contentlet.component.ts
  • L47-61 - Triage
• core-web/libs/edit-content/src/lib/fields/dot-edit-content-category-field/components/dot-category-field-list-skeleton/dot-category-field-list-skeleton.component.ts
  • L5-28 - Triage
• core-web/libs/dot-rules/src/lib/rule-engine.ts
  • L28-153 - Triage
• core-web/libs/dot-rules/src/lib/rule-engine.container.ts
  • L86-118 - Triage
• core-web/libs/dot-rules/src/lib/rule-condition-group-component.ts
  • L17-72 - Triage
• core-web/libs/dot-rules/src/lib/rule-condition-component.ts
  • L15-68 - Triage
• core-web/libs/dot-rules/src/lib/rule-component.ts
  • L57-229 - Triage
• core-web/libs/dot-rules/src/lib/rule-action-component.ts
  • L14-46 - Triage
• core-web/libs/dot-rules/src/lib/push-publish/add-to-bundle-dialog-container.ts
  • L15-26 - Triage
• core-web/libs/dot-rules/src/lib/push-publish/add-to-bundle-dialog-component.ts
  • L14-58 - Triage
• core-web/libs/dot-rules/src/lib/modal-dialog/dialog-component.ts
  • L5-42 - Triage
• core-web/libs/dot-rules/src/lib/custom-types/visitors-location/visitors-location.container.ts
  • L35-50 - Triage
• core-web/libs/dot-rules/src/lib/custom-types/visitors-location/visitors-location.component.ts
  • L34-79 - Triage
• core-web/libs/dot-rules/src/lib/condition-types/serverside-condition/serverside-condition.ts
  • L23-125 - Triage
• core-web/libs/dot-rules/src/lib/components/restdropdown/RestDropdown.ts
  • L22-36 - Triage
• core-web/libs/dot-rules/src/lib/components/input-date/input-date.ts
  • L15-31 - Triage
• core-web/libs/dot-rules/src/lib/components/dropdown/dropdown.ts
  • L27-54 - Triage
• core-web/libs/dot-rules/src/lib/app.component.ts
  • L5-13 - Triage
• core-web/apps/dotcms-ui/src/app/view/components/main-core-legacy/main-core-legacy-component.ts
  • L3-9 - Triage
• core-web/apps/dotcms-ui/src/app/portlets/dot-porlet-detail/dot-workflow-task/dot-workflow-task.component.ts
  • L10-15 - Triage
• core-web/apps/dotcms-ui/src/app/portlets/dot-porlet-detail/dot-contentlets/dot-contentlets.component.ts
  • L10-15 - Triage

Risk: Affected versions of @angular/compiler are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). A stored XSS vulnerability in the Angular Template Compiler arises because its internal security schema doesn't classify certain URL‐ holding attributes (e.g. xlink:href, math|href, annotation|href) or the attributeName binding on SVG animation elements (<animate>, <set>, etc.) as requiring strict URL sanitization. An attacker who can supply untrusted input to template bindings like [attr.xlink:href] or <animate [attributeName]="'href'" [values]="maliciousURL"> can inject a javascript: URL payload. When the element is activated (e.g. clicked) or the animation runs, the malicious script executes in the application's origin, enabling session hijacking, data exfiltration, or unauthorized actions.

Manual Review Advice: A vulnerability from this advisory is reachable if you allow SVG/MathML attributes (e.g., xlink:href, href) or to the attributeName field of SVG animation tags (, , etc.) in HTML templates

Fix: Upgrade this library to at least version 20.3.15 at core/core-web/yarn.lock:557.

Reference(s): GHSA-v4hv-rgfq-gp49, CVE-2025-66412

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

[Copilot]

Pull request overview

This pull request migrates Angular template files across the dotCMS codebase to use self-closing tag syntax for standalone components and elements. The migration is purely syntactic, aligning with modern Angular best practices for component usage, with no functional or behavioral changes introduced.

Key Changes:

• Converted component tags to self-closing syntax (e.g., <component></component> → <component />)
• Applied to PrimeNG components (p-button, p-dropdown, p-menu, p-skeleton, etc.)
• Applied to custom dotCMS components (dot-icon, dot-spinner, dot-asset-search, etc.)
• Applied to Angular built-in directives (ng-content, ng-container, router-outlet, ng-template)

Reviewed changes

Copilot reviewed 239 out of 239 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
Multiple .html template files across libs/	Migrated component tags to self-closing syntax for UI library components
Multiple .html template files in template-builder/	Updated template builder component templates to use self-closing tags
Multiple .html template files in sdk/angular/	Converted block editor and renderer components to self-closing syntax
Multiple .html template files in portlets/	Updated portlet component templates across edit-ema, experiments, locales, analytics, content-drive, and usage modules
Multiple .html template files in edit-content/	Migrated content editing field and form components to self-closing tags
Multiple .html template files in block-editor/	Updated block editor extension and node components
Multiple .html template files in dot-rules/	Converted rules engine components to self-closing syntax
Multiple .ts component files with inline templates	Updated inline template strings to use self-closing tags
Multiple .html template files in apps/dotcms-ui/	Migrated application-level component templates including login, navigation, portlets, and content type editors

[zJaaal]

I trust the tests

[semgrep-code-dotcms-test]

Legal Risk

The following dependencies were released under a license that
has been flagged by your organization for consideration.

Recommendation

While merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue.

GPL-2.0

• node-forge 1.3.3

MPL-2.0

• dompurify 3.3.1