fix(n8n Form Node): Prevent XSS with video and source tags (#16329)

packages/nodes-base/nodes/Form/utils/formNodeUtils.ts

@@ -0,0 +1,59 @@
+import { type Response } from 'express';
+import {
+	type NodeTypeAndVersion,
+	type IWebhookFunctions,
+	type FormFieldsParameter,
+	type IWebhookResponseData,
+} from 'n8n-workflow';
+
+import { renderForm } from './utils';
+
+export const renderFormNode = async (
+	context: IWebhookFunctions,
+	res: Response,
+	trigger: NodeTypeAndVersion,
+	fields: FormFieldsParameter,
+	mode: 'test' | 'production',
+): Promise<IWebhookResponseData> => {
+	const options = context.getNodeParameter('options', {}) as {
+		formTitle: string;
+		formDescription: string;
+		buttonLabel: string;
+		customCss?: string;
+	};
+
+	let title = options.formTitle;
+	if (!title) {
+		title = context.evaluateExpression(`{{ $('${trigger?.name}').params.formTitle }}`) as string;
+	}
+
+	let buttonLabel = options.buttonLabel;
+	if (!buttonLabel) {
+		buttonLabel =
+			(context.evaluateExpression(
+				`{{ $('${trigger?.name}').params.options?.buttonLabel }}`,
+			) as string) || 'Submit';
+	}
+
+	const appendAttribution = context.evaluateExpression(
+		`{{ $('${trigger?.name}').params.options?.appendAttribution === false ? false : true }}`,
+	) as boolean;
+
+	renderForm({
+		context,
+		res,
+		formTitle: title,
+		formDescription: options.formDescription,
+		formFields: fields,
+		responseMode: 'responseNode',
+		mode,
+		redirectUrl: undefined,
+		appendAttribution,
+		buttonLabel,
+		customCss: options.customCss,
+	});
+
+	return {
+		noWebhookResponse: true,
+	};
+};