fix(Form Node): Improve form rendering consistency (backport to release-candidate/2.11.x) (#26652)

Co-authored-by: Dawid Myslak <dawid.myslak@gmail.com>

Author: n8n-assistant[bot]

packages/core/src/__tests__/html-sandbox.test.ts

@@ -29,7 +29,7 @@ describe('getWebhookSandboxCSP', () => {
 	it('should return correct CSP sandbox directive', () => {
 		const csp = getWebhookSandboxCSP();
 		expect(csp).toBe(
-			'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols',
+			'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols',
 		);
 	});
 

packages/core/src/html-sandbox.ts

@@ -9,5 +9,5 @@ export const isWebhookHtmlSandboxingDisabled = () => {
  * Returns the CSP header value that sandboxes the HTML page into a separate origin.
  */
 export const getWebhookSandboxCSP = (): string => {
-	return 'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols';
+	return 'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols';
 };

packages/nodes-base/nodes/Form/test/formCompletionUtils.test.ts

@@ -329,7 +329,7 @@ describe('formCompletionUtils', () => {
 
 			expect(mockResponse.setHeader).toHaveBeenCalledWith(
 				'Content-Security-Policy',
-				'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols',
+				'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols',
 			);
 			expect(mockResponse.render).toHaveBeenCalled();
 		});

packages/nodes-base/nodes/Form/test/formNodeUtils.test.ts

@@ -122,6 +122,50 @@ describe('formNodeUtils', () => {
 		});
 	});
 
+	it('should sanitize formDescription', async () => {
+		webhookFunctions.getNode.mockReturnValue({ typeVersion: 2.1 } as any);
+
+		const testCases = [
+			{
+				description: '<script>alert("hello world")</script>',
+				expected: '',
+			},
+			{
+				description: '<i>hello</i>',
+				expected: '<i>hello</i>',
+			},
+			{
+				description: 'Plain text description',
+				expected: 'Plain text description',
+			},
+			{
+				description: '<style>body { display: none; }</style><b>visible</b>',
+				expected: '<b>visible</b>',
+			},
+		];
+
+		const formFields: FormFieldsParameter = [];
+		const triggerMock = mock<NodeTypeAndVersion>({ name: 'triggerName' } as any);
+
+		for (const { description, expected } of testCases) {
+			webhookFunctions.getNodeParameter.calledWith('options').mockReturnValue({
+				formTitle: 'Test Title',
+				formDescription: description,
+				buttonLabel: 'Submit',
+			});
+
+			const mockRender = jest.fn();
+			const res = mock<Response>({ render: mockRender } as any);
+
+			await renderFormNode(webhookFunctions, res, triggerMock, formFields, 'test');
+
+			expect(mockRender).toHaveBeenCalledWith(
+				'form-trigger',
+				expect.objectContaining({ formDescription: expected }),
+			);
+		}
+	});
+
 	describe('getFormTriggerNode', () => {
 		const mockCurrentNode = { name: 'currentNode' };
 

packages/nodes-base/nodes/Form/test/utils.test.ts

@@ -703,7 +703,7 @@ describe('FormTrigger, formWebhook', () => {
 
 		expect(mockSetHeader).toHaveBeenCalledWith(
 			'Content-Security-Policy',
-			'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols',
+			'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols',
 		);
 	});
 

packages/nodes-base/nodes/Form/utils/formCompletionUtils.ts

@@ -11,7 +11,7 @@ import {
 import { handleNewlines, sanitizeCustomCss, sanitizeHtml, validateSafeRedirectUrl } from './utils';
 
 const SANDBOX_CSP =
-	'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols';
+	'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols';
 
 const getBinaryDataFromNode = (context: IWebhookFunctions, nodeName: string): IDataObject => {
 	return context.evaluateExpression(`{{ $('${nodeName}').first().binary }}`) as IDataObject;

packages/nodes-base/nodes/Form/utils/formNodeUtils.ts

@@ -8,7 +8,7 @@ import {
 	FORM_TRIGGER_NODE_TYPE,
 } from 'n8n-workflow';
 
-import { renderForm } from './utils';
+import { handleNewlines, renderForm, sanitizeHtml } from './utils';
 
 export const renderFormNode = async (
 	context: IWebhookFunctions,
@@ -29,7 +29,7 @@ export const renderFormNode = async (
 		title = context.evaluateExpression(`{{ $('${trigger?.name}').params.formTitle }}`) as string;
 	}
 
-	const description = options.formDescription ?? '';
+	const description = handleNewlines(sanitizeHtml(options.formDescription ?? ''));
 
 	let buttonLabel = options.buttonLabel;
 	if (!buttonLabel) {

packages/nodes-base/utils/sendAndWait/test/util.test.ts

@@ -278,7 +278,7 @@ describe('Send and Wait utils tests', () => {
 
 			expect(mockSetHeader).toHaveBeenCalledWith(
 				'Content-Security-Policy',
-				'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols',
+				'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols',
 			);
 
 			expect(mockRender).toHaveBeenCalledWith('form-trigger', {
@@ -364,7 +364,7 @@ describe('Send and Wait utils tests', () => {
 
 			expect(mockSetHeader).toHaveBeenCalledWith(
 				'Content-Security-Policy',
-				'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols',
+				'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols',
 			);
 
 			expect(mockRender).toHaveBeenCalledWith('form-trigger', {

packages/testing/playwright/tests/e2e/api/webhook-isolation.spec.ts

@@ -1,45 +1,47 @@
 import { test, expect } from '../../../fixtures/base';
 
-test.describe('Webhook Origin Isolation', {
-	annotation: [
-		{ type: 'owner', description: 'Catalysts' },
-	],
-}, () => {
-	test.beforeAll(async ({ api }) => {
-		await api.workflows.importWorkflowFromFile('webhook-origin-isolation.json', {
-			makeUnique: false,
+test.describe(
+	'Webhook Origin Isolation',
+	{
+		annotation: [{ type: 'owner', description: 'Catalysts' }],
+	},
+	() => {
+		test.beforeAll(async ({ api }) => {
+			await api.workflows.importWorkflowFromFile('webhook-origin-isolation.json', {
+				makeUnique: false,
+			});
 		});
-	});
 
-	const webhookPaths = [
-		'webhook-response-data-text-html',
-		'webhook-response-data-wo-content-type',
-		'webhook-last-node-no-content-type-header',
-		'webhook-last-node-text-html-header',
-		'webhook-last-node-text-html-content-type',
-		'webhook-response-data-csp-header',
-		'webhook-last-node-csp-header',
-		'webhook-last-node-binary-text-html',
-		'webhook-last-node-binary-no-content-type',
-		'webhook-last-node-binary-csp-header',
-		'respond-to-webhook-text-no-content-type',
-		'respond-to-webhook-text-content-type-text-html',
-		'respond-to-webhook-text-csp-header',
-		'respond-to-webhook-json-as-text-html',
-	];
+		const webhookPaths = [
+			'webhook-response-data-text-html',
+			'webhook-response-data-wo-content-type',
+			'webhook-last-node-no-content-type-header',
+			'webhook-last-node-text-html-header',
+			'webhook-last-node-text-html-content-type',
+			'webhook-response-data-csp-header',
+			'webhook-last-node-csp-header',
+			'webhook-last-node-binary-text-html',
+			'webhook-last-node-binary-no-content-type',
+			'webhook-last-node-binary-csp-header',
+			'respond-to-webhook-text-no-content-type',
+			'respond-to-webhook-text-content-type-text-html',
+			'respond-to-webhook-text-csp-header',
+			'respond-to-webhook-json-as-text-html',
+		];
 
-	const expectedCSP =
-		'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols';
+		const expectedCSP =
+			'sandbox allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-presentation allow-scripts allow-top-navigation-by-user-activation allow-top-navigation-to-custom-protocols';
 
-	for (const webhookPath of webhookPaths) {
-		test(`Webhook responses should include the correct response headers for ${webhookPath}`, async ({
-			api,
-		}) => {
-			const webhookResponse = await api.webhooks.trigger(`/webhook/${webhookPath}`);
-			expect(webhookResponse.ok()).toBe(true);
+		for (const webhookPath of webhookPaths) {
+			test(`Webhook responses should include the correct response headers for ${webhookPath}`, async ({
+				api,
+			}) => {
+				const webhookResponse = await api.webhooks.trigger(`/webhook/${webhookPath}`);
+				expect(webhookResponse.ok()).toBe(true);
 
-			const headers = webhookResponse.headers();
-			expect(headers['content-security-policy']).toBe(expectedCSP);
-		});
-	}
-});
+				const headers = webhookResponse.headers();
+				expect(headers['content-security-policy']).toBe(expectedCSP);
+			});
+		}
+	},
+);