Account for <a> tags

n8n-io · Aug 20, 2024 · d77887a · d77887a
1 parent 98f2fc2
commit d77887a
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/packages/cli/src/validators/__tests__/no-xss.validator.test.ts b/packages/cli/src/validators/__tests__/no-xss.validator.test.ts
@@ -16,7 +16,8 @@ describe('NoXss', () => {
 	const entity = new Entity();
 
 	describe('Scripts', () => {
-		const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>"];
+		// eslint-disable-next-line n8n-local-rules/no-unneeded-backticks
+		const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>", `<a href="#">Jack</a>`];
 
 		for (const str of XSS_STRINGS) {
 			test(`should block ${str}`, async () => {

diff --git a/packages/cli/src/validators/no-xss.validator.ts b/packages/cli/src/validators/no-xss.validator.ts
@@ -5,7 +5,12 @@ import { registerDecorator, ValidatorConstraint } from 'class-validator';
 @ValidatorConstraint({ name: 'NoXss', async: false })
 class NoXssConstraint implements ValidatorConstraintInterface {
 	validate(value: string) {
-		return value === xss(value);
+		return (
+			value ===
+			xss(value, {
+				whiteList: {}, // no tags are allowed
+			})
+		);
 	}
 
 	defaultMessage() {