fix(@angular/build): incomplete string escaping or encoding

See: https://github.com/angular/angular-cli/security/code-scanning/76

Author: alan-agius4

packages/angular/build/src/utils/server-rendering/manifest.ts

@@ -24,18 +24,8 @@ const MAIN_SERVER_OUTPUT_FILENAME = 'main.server.mjs';
  * A mapping of unsafe characters to their escaped Unicode equivalents.
  */
 const UNSAFE_CHAR_MAP: Record<string, string> = {
-  '<': '\\u003C',
-  '>': '\\u003E',
-  '/': '\\u002F',
-  '\\': '\\\\',
-  '\b': '\\b',
-  '\f': '\\f',
-  '\n': '\\n',
-  '\r': '\\r',
-  '\t': '\\t',
-  '\0': '\\0',
-  '\u2028': '\\u2028',
-  '\u2029': '\\u2029',
+  '`': '\\`',
+  '$': '\\$',
 };
 
 /**
@@ -46,7 +36,7 @@ const UNSAFE_CHAR_MAP: Record<string, string> = {
  * @returns The escaped string where unsafe characters are replaced.
  */
 function escapeUnsafeChars(str: string): string {
-  return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, (c) => UNSAFE_CHAR_MAP[c]);
+  return str.replace(/[$`]/g, (c) => UNSAFE_CHAR_MAP[c]);
 }
 
 /**
@@ -149,9 +139,7 @@ export function generateAngularServerAppManifest(
       file.path === INDEX_HTML_CSR ||
       (inlineCriticalCss && file.path.endsWith('.css'))
     ) {
-      serverAssetsContent.push(
-        `['${file.path}', async () => ${escapeUnsafeChars(JSON.stringify(file.text))}]`,
-      );
+      serverAssetsContent.push(`['${file.path}', async () => \`${escapeUnsafeChars(file.text)}\`]`);
     }
   }