fix: change friendlyAttrValue to escapeAttrValue

n8n-io · Sep 20, 2024 · 809b4b2 · 809b4b2
1 parent 24a1fa9
commit 809b4b2
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/packages/editor-ui/src/utils/__tests__/htmlUtils.spec.ts b/packages/editor-ui/src/utils/__tests__/htmlUtils.spec.ts
@@ -37,4 +37,18 @@ describe('sanitizeHtml', () => {
 		const result = sanitizeHtml(dirtyHtml);
 		expect(result).toBe('<a>Click me</a>');
 	});
+
+	test.each([
+		[
+			'https://www.ex.com/sfefdfd<img/src/onerror=alert(1)>fdf/xdfef.json',
+			'https://www.ex.com/sfefdfdfdf/xdfef.json',
+		],
+		[
+			// eslint-disable-next-line n8n-local-rules/no-unneeded-backticks
+			`https://www.ex.com/sfefdfd<details title='"><img/src/onerror=alert(document.domain)>/ '>/c.json`,
+			'https://www.ex.com/sfefdfd<details title="&quot;&gt;&lt;img/src/onerror=alert(document.domain)&gt;/">/c.json',
+		],
+	])('should escape js code %s to equal %s', (dirtyURL, expected) => {
+		expect(sanitizeHtml(dirtyURL)).toBe(expected);
+	});
 });
diff --git a/packages/editor-ui/src/utils/htmlUtils.ts b/packages/editor-ui/src/utils/htmlUtils.ts
@@ -1,4 +1,4 @@
-import xss, { friendlyAttrValue } from 'xss';
+import xss, { escapeAttrValue } from 'xss';
 import { ALLOWED_HTML_ATTRIBUTES, ALLOWED_HTML_TAGS } from '@/constants';
 
 /*
@@ -22,7 +22,7 @@ export function sanitizeHtml(dirtyHtml: string) {
 				if (name === 'href' && !value.match(/^https?:\/\//gm)) {
 					return '';
 				}
-				return `${name}="${friendlyAttrValue(value)}"`;
+				return `${name}="${escapeAttrValue(value)}"`;
 			}
 
 			return;