fix(core): Replace sanitize-html with xss in XSS validator constraint (#10479)

2024-08-20 20:52:04 +02:00
parent aad3e5b677
commit 5dea51aad7
4 changed files with 38 additions and 72 deletions
--- a/packages/cli/src/validators/tests/no-xss.validator.test.ts
+++ b/packages/cli/src/validators/tests/no-xss.validator.test.ts
@@ -16,7 +16,8 @@ describe('NoXss', () => {
 	const entity = new Entity();

 	describe('Scripts', () => {
-		const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>"];
+		// eslint-disable-next-line n8n-local-rules/no-unneeded-backticks
+		const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>", `<a href="#">Jack</a>`];

 		for (const str of XSS_STRINGS) {
 			test(`should block ${str}`, async () => {
@@ -69,4 +70,15 @@ describe('NoXss', () => {
 			});
 		}
 	});
+
+	describe('Miscellanous strings', () => {
+		const VALID_MISCELLANEOUS_STRINGS = ['CI/CD'];
+
+		for (const str of VALID_MISCELLANEOUS_STRINGS) {
+			test(`should allow ${str}`, async () => {
+				entity.name = str;
+				await expect(validate(entity)).resolves.toBeEmptyArray();
+			});
+		}
+	});
 });
--- a/packages/cli/src/validators/no-xss.validator.ts
+++ b/packages/cli/src/validators/no-xss.validator.ts
@@ -1,11 +1,16 @@
+import xss from 'xss';
 import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator';
 import { registerDecorator, ValidatorConstraint } from 'class-validator';
-import sanitizeHtml from 'sanitize-html';

@ValidatorConstraint({ name: 'NoXss', async: false })
 class NoXssConstraint implements ValidatorConstraintInterface {
 	validate(value: string) {
-		return value === sanitizeHtml(value, { allowedTags: [], allowedAttributes: {} });
+		return (
+			value ===
+			xss(value, {
+				whiteList: {}, // no tags are allowed
+			})
+		);
 	}

 	defaultMessage() {