fix(core): Replace sanitize-html with xss in XSS validator constraint (#10479)

packages/cli/package.json

@@ -155,7 +155,6 @@
     "reflect-metadata": "0.2.2",
     "replacestream": "4.0.3",
     "samlify": "2.8.9",
-    "sanitize-html": "2.12.1",
     "semver": "7.5.4",
     "shelljs": "0.8.5",
     "simple-git": "3.17.0",
@@ -172,6 +171,7 @@
     "ws": "8.17.1",
     "xml2js": "catalog:",
     "xmllint-wasm": "3.0.1",
+    "xss": "^1.0.14",
     "yamljs": "0.3.0",
     "zod": "3.22.4"
   }

packages/cli/src/validators/__tests__/no-xss.validator.test.ts

@@ -16,7 +16,8 @@ describe('NoXss', () => {
 	const entity = new Entity();
 
 	describe('Scripts', () => {
-		const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>"];
+		// eslint-disable-next-line n8n-local-rules/no-unneeded-backticks
+		const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>", `<a href="#">Jack</a>`];
 
 		for (const str of XSS_STRINGS) {
 			test(`should block ${str}`, async () => {
@@ -69,4 +70,15 @@ describe('NoXss', () => {
 			});
 		}
 	});
+
+	describe('Miscellanous strings', () => {
+		const VALID_MISCELLANEOUS_STRINGS = ['CI/CD'];
+
+		for (const str of VALID_MISCELLANEOUS_STRINGS) {
+			test(`should allow ${str}`, async () => {
+				entity.name = str;
+				await expect(validate(entity)).resolves.toBeEmptyArray();
+			});
+		}
+	});
 });

packages/cli/src/validators/no-xss.validator.ts

@@ -1,11 +1,16 @@
+import xss from 'xss';
 import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator';
 import { registerDecorator, ValidatorConstraint } from 'class-validator';
-import sanitizeHtml from 'sanitize-html';
 
 @ValidatorConstraint({ name: 'NoXss', async: false })
 class NoXssConstraint implements ValidatorConstraintInterface {
 	validate(value: string) {
-		return value === sanitizeHtml(value, { allowedTags: [], allowedAttributes: {} });
+		return (
+			value ===
+			xss(value, {
+				whiteList: {}, // no tags are allowed
+			})
+		);
 	}
 
 	defaultMessage() {