fix(n8n Form Node): Add html table tags to allowedTags, CSP headers on form completion, free text sanitization removed (#19446)

2025-12-17 01:56:46 +00:00 · 2025-09-16 10:31:23 +03:00
parent fe9af0b753
commit 7ea920dbe7
5 changed files with 296 additions and 5 deletions
--- a/packages/nodes-base/nodes/Form/test/Form.node.test.ts
+++ b/packages/nodes-base/nodes/Form/test/Form.node.test.ts
@@ -245,7 +245,7 @@ describe('Form Node', () => {
 						message: 'Test Message',
 						redirectUrl: '',
 						title: 'Test Title',
-						responseText: '<div>hey</div>',
+						responseText: '<div>hey</div><script>alert("hi")</script>',
 						responseBinary: encodeURIComponent(JSON.stringify('')),
 					},
 				},
@@ -292,6 +292,7 @@ describe('Form Node', () => {
 				const mockResponseObject = {
 					render: jest.fn(),
 					redirect: jest.fn(),
+					setHeader: jest.fn(),
 				};
 				mockWebhookFunctions.getResponseObject.mockReturnValue(
 					mockResponseObject as unknown as Response,
@@ -375,6 +376,7 @@ describe('Form Node', () => {

 			const mockResponseObject = {
 				render: jest.fn(),
+				setHeader: jest.fn(),
 			};
 			mockWebhookFunctions.getResponseObject.mockReturnValue(
 				mockResponseObject as unknown as Response,
@@ -403,6 +405,7 @@ describe('Form Node', () => {
 				if (paramName === 'completionMessage') return 'Test Message';
 				if (paramName === 'redirectUrl') return 'https://n8n.io';
 				if (paramName === 'formFields.values') return [];
+				if (paramName === 'responseText') return '';

 				return {};
 			});
@@ -420,6 +423,7 @@ describe('Form Node', () => {
 				render: jest.fn(),
 				redirect: jest.fn(),
 				send: jest.fn(),
+				setHeader: jest.fn(),
 			};
 			mockWebhookFunctions.getResponseObject.mockReturnValue(
 				mockResponseObject as unknown as Response,