Agent Task Message - Add html sanitization by default (#5365)

#### Summary
This PR adds html sanitization by default to agent task messages. This
was identified as a potential security risk and is already applied to
SOA.

#### Work Item(s)
Fixes
[AB#610530](https://dynamicssmb2.visualstudio.com/1fcb79e7-ab07-432a-a3c6-6cf5a88ba4a5/_workitems/edit/610530)

---------

Co-authored-by: Sotiris Dragonas <sodragon@microsoft.com>

Author: BazookaMusic

src/System Application/App/Agent/Interaction/AgentTaskBuilder.Codeunit.al

@@ -95,7 +95,6 @@ codeunit 4315 "Agent Task Builder"
     /// </summary>
     /// <param name="From">The sender of the message.</param>
     /// <param name="MessageText">The message text.</param>
-    /// <param name="AgentTaskMessageBuilder">The agent task message builder.</param>
     /// <returns>This instance of the Agent Task Builder.</returns>
     procedure AddTaskMessage(From: Text[250]; MessageText: Text): codeunit "Agent Task Builder"
     begin

src/System Application/App/Agent/Interaction/AgentTaskMessageBuilder.Codeunit.al

@@ -70,6 +70,21 @@ codeunit 4316 "Agent Task Message Builder"
         exit(this);
     end;
 
+    /// <summary>
+    /// Set whether to sanitize the message text.
+    /// When set to false, message sanitization will be bypassed.
+    /// The default value is true.
+    /// </summary>
+    /// <param name="SkipSanitizeMessage">Specifies if the message sanitization should be skipped.</param>
+    /// <returns>This instance of the Agent Task Message Builder.</returns>
+    [Scope('OnPrem')]
+    procedure SetSkipMessageSanitization(SkipSanitizeMessage: Boolean): codeunit "Agent Task Message Builder"
+    begin
+        FeatureAccessManagement.AgentTaskManagementPreviewEnabled(true);
+        AgentTaskMsgBuilderImpl.SetSkipMessageSanitization(SkipSanitizeMessage);
+        exit(this);
+    end;
+
     /// <summary>
     /// Set the external ID of the task.
     /// </summary>

src/System Application/App/Agent/Interaction/Internal/AgentTaskBuilderImpl.Codeunit.al

@@ -62,6 +62,7 @@ codeunit 4310 "Agent Task Builder Impl."
     procedure AddTaskMessage(From: Text[250]; MessageText: Text): codeunit "Agent Task Builder Impl."
     begin
         GlobalAgentTaskMessageBuilder.Initialize(From, MessageText);
+        MessageSet := true;
         exit(this);
     end;
 

src/System Application/App/Agent/Interaction/Internal/AgentTaskMsgBuilderImpl.Codeunit.al

@@ -5,6 +5,8 @@
 
 namespace System.Agents;
 
+using System;
+
 codeunit 4311 "Agent Task Msg. Builder Impl."
 {
     Access = Internal;
@@ -21,6 +23,7 @@ codeunit 4311 "Agent Task Msg. Builder Impl."
         GlobalMessageText: Text;
         GlobalRequiresReview: Boolean;
         GlobalIgnoreAttachment: Boolean;
+        GlobalSkipSanitizeMessage: Boolean;
 
     [Scope('OnPrem')]
     procedure Initialize(MessageText: Text): codeunit "Agent Task Msg. Builder Impl."
@@ -34,10 +37,10 @@ codeunit 4311 "Agent Task Msg. Builder Impl."
     [Scope('OnPrem')]
     procedure Initialize(From: Text[250]; MessageText: Text): codeunit "Agent Task Msg. Builder Impl."
     begin
-        GlobalFrom := From;
-        GlobalMessageText := MessageText;
         GlobalRequiresReview := true;
         GlobalIgnoreAttachment := false;
+        GlobalFrom := From;
+        GlobalMessageText := MessageText;
         exit(this);
     end;
 
@@ -55,6 +58,13 @@ codeunit 4311 "Agent Task Msg. Builder Impl."
         exit(this);
     end;
 
+    [Scope('OnPrem')]
+    procedure SetSkipMessageSanitization(SkipSanitizeMessage: Boolean): codeunit "Agent Task Msg. Builder Impl."
+    begin
+        GlobalSkipSanitizeMessage := SkipSanitizeMessage;
+        exit(this);
+    end;
+
     [Scope('OnPrem')]
     procedure SetMessageExternalID(ExternalId: Text[2048]): codeunit "Agent Task Msg. Builder Impl."
     begin
@@ -85,9 +95,12 @@ codeunit 4311 "Agent Task Msg. Builder Impl."
         AgentTaskImpl: Codeunit "Agent Task Impl.";
         AgentMessageImpl: Codeunit "Agent Message Impl.";
         IgnoreAttachment: Boolean;
+        MessageText: Text;
     begin
         VerifyMandatoryFieldsSet();
-        GlobalAgentTaskMessage := AgentTaskImpl.AddMessage(GlobalFrom, GlobalMessageText, GlobalMessageExternalID, GlobalAgentTask, GlobalRequiresReview);
+
+        MessageText := GlobalSkipSanitizeMessage ? GlobalMessageText : SanitizeMessage(GlobalMessageText);
+        GlobalAgentTaskMessage := AgentTaskImpl.AddMessage(GlobalFrom, MessageText, GlobalMessageExternalID, GlobalAgentTask, GlobalRequiresReview);
         TempAgentTaskFileToAttach.Reset();
         TempAgentTaskFileToAttach.SetAutoCalcFields(Content);
         if TempAgentTaskFileToAttach.FindSet() then
@@ -259,4 +272,12 @@ codeunit 4311 "Agent Task Msg. Builder Impl."
             exit('text/plain');
         exit('');
     end;
+
+    internal procedure SanitizeMessage(MessageBody: Text): Text
+    var
+        AppHTMLSanitizer: DotNet AppHtmlSanitizer;
+    begin
+        AppHTMLSanitizer := AppHTMLSanitizer.AppHtmlSanitizer();
+        exit(AppHTMLSanitizer.SanitizeEmail(MessageBody));
+    end;
 }

src/System Application/App/Agent/app.json

@@ -50,6 +50,12 @@
       "name": "User Settings",
       "publisher": "Microsoft",
       "version": "28.0.0.0"
+    },
+    {
+      "id": "7e3b999e-1182-45d2-8b82-d5127ddba9b2",
+      "name": "DotNet Aliases",
+      "publisher": "Microsoft",
+      "version": "28.0.0.0"
     }
   ],
   "propagateDependencies": true,