-
Notifications
You must be signed in to change notification settings - Fork 6.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(editor): Prevent clipboard xss injection #10894
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
✅ All Cypress E2E specs passed |
n8n Run #6965
Run Properties:
|
Project |
n8n
|
Branch Review |
prevent-clpiboard-xss-injection
|
Run status |
Passed #6965
|
Run duration | 04m 45s |
Commit |
809b4b2ba7: 🌳 🖥️ browsers:node18.12.0-chrome107 🤖 r00gm 🗃️ e2e/*
|
Committer | r00gm |
View all properties for this run ↗︎ |
Test results | |
---|---|
Failures |
0
|
Flaky |
0
|
Pending |
0
|
Skipped |
0
|
Passing |
430
|
View all changes introduced in this branch ↗︎ |
Got released with |
@z00z00z00 the change in commit 180fc4b didn't actually fix all the cases and it introduced other issues. That's why it was reverted. The actual fix is in commit 809b4b2 |
Thanks @tomi for your reply. |
@z00z00z00 Because of how our PR merge & patch release process works, the commit hashes don't match. PRs are squash merged, so all the commits in the PR are squashed into a single commit, which gets its own commit hash. For patch releases we cherry-pick the commits we want to introduce to the patch release, which also results in a separate hashes. The commits that include the fix are: Hope this clarifies the situation. |
Summary
There is no need for the extra sanitization of the clipboard data, since it's already done in the composable that renders the html.
It also fixes the issue of HTML NODE code
Related Linear tickets, Github issues, and Community forum posts
https://linear.app/n8n/issue/SEC-119/xss-vulnerability-when-pasting-into-canvas#comment-3c30c988
Review / Merge checklist
release/backport
(if the PR is an urgent fix that needs to be backported)