feat: prevent url injection

n8n-io · Sep 20, 2024 · 180fc4b · 180fc4b
1 parent 48294e7
commit 180fc4b
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/packages/editor-ui/src/composables/__tests__/useClipboard.test.ts b/packages/editor-ui/src/composables/__tests__/useClipboard.test.ts
@@ -81,4 +81,13 @@ describe('useClipboard()', () => {
 		await userEvent.paste(unsafeHtml);
 		expect(within(getByTestId('xss-attack')).queryByRole('img')).not.toBeInTheDocument();
 	});
+
+	it('sanitizes URL with HTML tags', async () => {
+		// eslint-disable-next-line n8n-local-rules/no-unneeded-backticks
+		const unsafeURL = `https://www.ex.com/sfefdfd<details title='"><details title=&#39;&quot;><img/src/onerror=alert(document.domain)>/&#39;>'>/c.json`;
+		const { getByTestId } = render(TestComponent);
+
+		await userEvent.paste(unsafeURL);
+		expect(getByTestId('xss-attack').innerHTML).toBe('https://www.ex.com/sfefdfd/c.json');
+	});
 });
diff --git a/packages/editor-ui/src/composables/useClipboard.ts b/packages/editor-ui/src/composables/useClipboard.ts
@@ -1,7 +1,7 @@
 import { onBeforeUnmount, onMounted, ref } from 'vue';
 import { useClipboard as useClipboardCore } from '@vueuse/core';
 import { useDebounce } from '@/composables/useDebounce';
-import { sanitizeIfString } from '@/utils/htmlUtils';
+import sanitize from 'sanitize-html';
 
 type ClipboardEventFn = (data: string, event?: ClipboardEvent) => void;
 
@@ -43,7 +43,7 @@ export function useClipboard(
 
 		const clipboardData = event.clipboardData;
 		if (clipboardData !== null) {
-			const clipboardValue = sanitizeIfString(clipboardData.getData('text/plain'));
+			const clipboardValue = sanitize(clipboardData.getData('text/plain'));
 			onPasteCallback.value(clipboardValue, event);
 		}
 	}