From 572f1ea9f4eba6a60e64f7437dee60aa1c0913f1 Mon Sep 17 00:00:00 2001 From: Harsh Kashyap Date: Wed, 1 Jul 2026 11:08:31 +0530 Subject: [PATCH] fix(web): sanitize agent rerun modal HTML against stored XSS (#16516) --- .../rerun-button/__tests__/index.test.tsx | 13 +++++++++++++ .../components/rerun-button/index.tsx | 11 +++++++---- 2 files changed, 20 insertions(+), 4 deletions(-) create mode 100644 web/src/pages/dataflow-result/components/rerun-button/__tests__/index.test.tsx diff --git a/web/src/pages/dataflow-result/components/rerun-button/__tests__/index.test.tsx b/web/src/pages/dataflow-result/components/rerun-button/__tests__/index.test.tsx new file mode 100644 index 0000000000..997923148c --- /dev/null +++ b/web/src/pages/dataflow-result/components/rerun-button/__tests__/index.test.tsx @@ -0,0 +1,13 @@ +import DOMPurify from 'dompurify'; + +describe('rerun modal content sanitization', () => { + it('strips unsafe html from interpolated pipeline step names', () => { + const step = ''; + const html = `You are about to rerun the process starting from the ${step} step.`; + const sanitized = DOMPurify.sanitize(html); + + expect(sanitized).not.toMatch(/onerror/i); + expect(sanitized).not.toContain(' { - const { className, step, onRerun, loading } = props; + const { step, onRerun, loading } = props; const { t } = useTranslation(); const clickFunc = () => { console.log('click rerun button'); @@ -22,9 +23,11 @@ const RerunButton = (props: RerunButtonProps) => { children: (
),