fix(web): sanitize agent rerun modal HTML against stored XSS (#16516)

This commit is contained in:
Harsh Kashyap
2026-07-01 11:08:31 +05:30
committed by GitHub
parent 400476f0b3
commit 572f1ea9f4
2 changed files with 20 additions and 4 deletions

View File

@@ -0,0 +1,13 @@
import DOMPurify from 'dompurify';
describe('rerun modal content sanitization', () => {
it('strips unsafe html from interpolated pipeline step names', () => {
const step = '<img src=x onerror="alert(1)"><script>alert(1)</script>';
const html = `You are about to rerun the process starting from the <span class="text-text-secondary">${step}</span> step.`;
const sanitized = DOMPurify.sanitize(html);
expect(sanitized).not.toMatch(/onerror/i);
expect(sanitized).not.toContain('<script');
expect(sanitized).toContain('img');
});
});

View File

@@ -2,6 +2,7 @@ import { TimelineNode } from '@/components/originui/timeline';
import SvgIcon from '@/components/svg-icon';
import { Button } from '@/components/ui/button';
import { Modal } from '@/components/ui/modal/modal';
import DOMPurify from 'dompurify';
import { CircleAlert } from 'lucide-react';
import { useTranslation } from 'react-i18next';
interface RerunButtonProps {
@@ -11,7 +12,7 @@ interface RerunButtonProps {
loading?: boolean;
}
const RerunButton = (props: RerunButtonProps) => {
const { className, step, onRerun, loading } = props;
const { step, onRerun, loading } = props;
const { t } = useTranslation();
const clickFunc = () => {
console.log('click rerun button');
@@ -22,9 +23,11 @@ const RerunButton = (props: RerunButtonProps) => {
children: (
<div
dangerouslySetInnerHTML={{
__html: t('dataflowParser.confirmRerunModalContent', {
step: step?.title,
}),
__html: DOMPurify.sanitize(
t('dataflowParser.confirmRerunModalContent', {
step: step?.title,
}),
),
}}
></div>
),