Merge pull request #22 from docusign/DEVDOCS-16962

paigesrossi · web-flow · commit b83599619d36 · 2025-06-13T10:01:49.000-07:00
Devdocs 16962
diff --git a/client/src/components/Popups/WorkflowTriggerResult/WorkflowTriggerResult.jsx b/client/src/components/Popups/WorkflowTriggerResult/WorkflowTriggerResult.jsx
@@ -20,7 +20,9 @@ const WorkflowTriggerResult = ({ workflowInstanceUrl }) => {
     <div className={styles.popupContainer}>
       <img src={imgSuccess} alt="" />
       <h2>{textContent.popups.workflowTriggered.title}</h2>
-      <p className={styles.popupMessageContainer} dangerouslySetInnerHTML={{ __html: textContent.popups.workflowTriggered.description }}></p>
+      <p className={styles.popupMessageContainer}>
+        See <a href='https://developers.docusign.com/docs/maestro-api/maestro101/embed-workflow/#embedded-workflow-instance-recommendations-and-restrictions' target='_blank'>Embedded workflow instance recommendations and restrictions</a>.
+      </p>
       <a href={workflowInstanceUrl} target="_blank" rel="noreferrer" onClick={handleFinishTrigger}>
         {textContent.buttons.continue}
       </a>
diff --git a/client/src/components/WorkflowList/WorkflowList.jsx b/client/src/components/WorkflowList/WorkflowList.jsx
@@ -24,7 +24,7 @@ const WorkflowList = ({ items, interactionType, isLoading }) => {
       <div className={`list-group ${styles.listGroup}`}>
         <div className={styles.emptyListContainer}>
           <h2>{textContent.workflowList.doNotHaveWorkflow}</h2>
-          <h4 className={styles.resetStyle} dangerouslySetInnerHTML={{ __html: textContent.workflowList.pleaseCreateWorkflow }}></h4>
+          <p>Please <a href=''>manually create a workflow</a> in your account before using the sample app.</p>
         </div>
       </div>
     );
diff --git a/client/src/pages/TriggerWorkflowForm/TriggerWorkflowForm.jsx b/client/src/pages/TriggerWorkflowForm/TriggerWorkflowForm.jsx
@@ -17,7 +17,23 @@ const TriggerWorkflowForm = () => {
   const type = searchParams.get('type');
   const triggerUrl = searchParams.get('triggerUrl');
 
-  if (triggerUrl !== null) {
+  const triggerUrlPattern = /^https:\/\/(?!.*javascript)[^()]+$/i;
+  
+function isValidTriggerUrl(url) {
+  try {
+    const decoded = decodeURIComponent(url);
+    const parsedUrl = new URL(decoded);
+    // Only allow https and the exact hostname
+    return (
+      parsedUrl.protocol === 'https:' &&
+      parsedUrl.hostname === 'apps-d.docusign.com'
+    );
+  } catch {
+    return false;
+  }
+}
+  
+  if (triggerUrl !== null && isValidTriggerUrl(triggerUrl)) {
     return (
       <div className="page-box">
         <Header />
