Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(editor): Fixing XSS vulnerability in toast messages #10329

Merged
merged 10 commits into from
Aug 8, 2024
Merged

fix(editor): Fixing XSS vulnerability in toast messages #10329

merged 10 commits into from
Aug 8, 2024

Conversation

MiloradFilipovic
Copy link
Contributor

Summary

Preventing XSS attacks via parameter values that end up in error messages by:

  1. Adding more strict rules to href sanitization
  2. Sanitizing all html that is passed to toast component with dangerouslyUseHTMLString = true
  3. Not rendering HTML in execution messages

Related Linear tickets, Github issues, and Community forum posts

Fixes SEC-78

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

@MiloradFilipovic MiloradFilipovic changed the title Sec 78 stored xss in toast fix(editor): Fixing XSS vulnerability in toast messages Aug 8, 2024
@n8n-assistant n8n-assistant bot added n8n team Authored by the n8n team ui Enhancement in /editor-ui or /design-system labels Aug 8, 2024
@cypress Cypress
Copy link

cypress bot commented Aug 8, 2024


Test summary

395 0 0 0Flakiness 0

Run details
Project n8n
Status Passed
Commit 997cc6e
Started Aug 8, 2024 2:00 PM
Ended Aug 8, 2024 2:04 PM
Duration 04:44 💡
OS Linux Debian -
Browser Electron 118

View run in Cypress Cloud ➡️

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Cloud

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 8, 2024

✅ All Cypress E2E specs passed

@MiloradFilipovic MiloradFilipovic merged commit 38bdd9f into master Aug 8, 2024
27 checks passed
@MiloradFilipovic MiloradFilipovic deleted the SEC-78-stored-xss-in-toast branch August 8, 2024 14:28
MiloradFilipovic added a commit that referenced this pull request Aug 9, 2024
@MiloradFilipovic
Merge branch 'master' into ask-assistant
badcb54 
* master:
  fix(core): Prevent XSS via static cache dir (#10339)
  fix(editor): Enable credential sharing between all types of projects (#10233)
  refactor(core): Extract webhook request handler to own file (#10301)
  feat: Allow sharing to and from team projects (no-changelog) (#10144)
  refactor(editor): Convert ChangePasswordModal to composition api (no-changelog) (#10337)
  docs: Change display name for WhatsApp Trigger API Credential (#10334)
  fix(core): Do not load ScalingService in regular mode (no-changelog) (#10333)
  docs: Update wording in X credentials (#10327)
  fix(editor): Fixing XSS vulnerability in toast messages (#10329)
  fix(core): Rate limit MFA activation and verification endpoints (#10330)
  refactor(core): Decouple emailing and workflow sharing from internal hooks (no-changelog) (#10326)
  refactor(core): Stop reporting disk I/O error to Sentry (no-changelog) (#10324)
@github-actions github-actions bot mentioned this pull request Aug 14, 2024
Merged
@janober
Copy link
Member

janober commented Aug 15, 2024

Got released with [email protected]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@netroy netroy netroy approved these changes

Assignees
No one assigned
Labels
n8n team Authored by the n8n team Released ui Enhancement in /editor-ui or /design-system
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MiloradFilipovic @janober @netroy