fix: Add XSS protection to flow visualization (issue #4326) #4327
+109
−14
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add DOMPurify CDN to HTML template for sanitizing HTML content - Add escapeHtml helper function to escape user-controlled text - Add sanitizeHtml function using DOMPurify with allowed tags/attributes - Apply sanitization to drawer content before setting innerHTML - Escape user-controlled values in renderTriggerCondition, renderConditionTree, and renderMetadata methods - Add tests to verify XSS protection is in place Co-Authored-By: João <joao@crewai.com>
Contributor
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fix: Add XSS protection to flow visualization (issue #4326)
Summary
This PR addresses a potential XSS vulnerability in the flow visualization component (
interactive.js) as reported in issue #4326. The visualization usesinnerHTMLto render drawer content including source code and metadata, which could originate from AI agent outputs.Changes:
escapeHtml()helper function to escape user-controlled text valuessanitizeHtml()function using DOMPurify with an allowlist of safe tags/attributessanitizeHtml()to drawer content before settinginnerHTMLescapeHtml()to user-controlled values inrenderTriggerCondition,renderConditionTree, andrenderMetadatamethodsReview & Testing Checklist for Human
ALLOWED_TAGSandALLOWED_ATTRinsanitizeHtml()include all legitimate tags/attributes needed for the drawer UI. Note:onmouseoverandonmouseoutare included - verify these are safe with DOMPurify's handling.sanitizeHtml()returns unsanitized HTML. Consider whether this is acceptable or if it should throw/return empty string instead.<script>alert(1)</script>,<img onerror=alert(1)>) through node names or metadata to verify they are properly sanitized.Notes
Closes #4326
Link to Devin run: https://app.devin.ai/sessions/9a0daac8e60c4f76a0f0e4371ec78644
Requested by: João