fix(richtext-lexical): ensure html converter text is escaped (#7919)

2024-08-28 10:31:06 -04:00
parent 375671c162
commit c7e7dc71d3
5 changed files with 54 additions and 13 deletions
--- a/packages/richtext-lexical/package.json
+++ b/packages/richtext-lexical/package.json
@@ -62,6 +62,7 @@
    "@types/uuid": "10.0.0",
    "bson-objectid": "2.0.4",
    "dequal": "2.0.3",
+    "escape-html": "1.0.3",
    "lexical": "0.17.0",
    "react-error-boundary": "4.0.13",
    "uuid": "10.0.0"
@@ -77,6 +78,7 @@
    "@payloadcms/next": "workspace:*",
    "@payloadcms/translations": "workspace:*",
    "@payloadcms/ui": "workspace:*",
+    "@types/escape-html": "1.0.4",
    "@types/json-schema": "7.0.15",
    "@types/node": "20.12.5",
    "@types/react": "npm:types-react@19.0.0-rc.0",
--- a/packages/richtext-lexical/src/features/converters/html/converter/converters/text.ts
+++ b/packages/richtext-lexical/src/features/converters/html/converter/converters/text.ts
@@ -1,12 +1,14 @@
 import type { SerializedTextNode } from 'lexical'

+import escapeHTML from 'escape-html'
+
 import type { HTMLConverter } from '../types.js'

 import { NodeFormat } from '../../../../../lexical/utils/nodeFormat.js'

 export const TextHTMLConverter: HTMLConverter<SerializedTextNode> = {
  converter({ node }) {
-    let text = node.text
+    let text = escapeHTML(node.text)

    if (node.format & NodeFormat.IS_BOLD) {
      text = `<strong>${text}</strong>`
--- a/packages/richtext-lexical/src/features/link/server/index.ts
+++ b/packages/richtext-lexical/src/features/link/server/index.ts
@@ -1,5 +1,6 @@
 import type { CollectionSlug, Config, Field, FieldAffectingData, SanitizedConfig } from 'payload'

+import escapeHTML from 'escape-html'
 import { sanitizeFields } from 'payload'
 import { deepCopyObject } from 'payload/shared'

@@ -194,7 +195,7 @@ export const LinkFeature = createServerFeature<

                const href: string =
                  node.fields.linkType === 'custom'
-                    ? node.fields.url
+                    ? escapeHTML(node.fields.url)
                    : (node.fields.doc?.value as string)

                return `<a href="${href}"${target}${rel}>${childrenText}</a>`
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -143,7 +143,7 @@ importers:
        version: 9.4.1(@aws-sdk/credential-providers@3.630.0(@aws-sdk/client-sso-oidc@3.629.0(@aws-sdk/client-sts@3.629.0)))
      next:
        specifier: 15.0.0-canary.104
-        version: 15.0.0-canary.104(@babel/core@7.25.2)(@playwright/test@1.46.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@0.0.0-experimental-48eb8f4-20240822)(react-dom@19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801))(react@19.0.0-rc-06d0b89e-20240801)(sass@1.77.4)
+        version: 15.0.0-canary.104(@playwright/test@1.46.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@0.0.0-experimental-48eb8f4-20240822)(react-dom@19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801))(react@19.0.0-rc-06d0b89e-20240801)(sass@1.77.4)
      open:
        specifier: ^10.1.0
        version: 10.1.0
@@ -963,7 +963,7 @@ importers:
        version: link:../payload
      ts-jest:
        specifier: ^29.1.0
-        version: 29.2.4(@babel/core@7.25.2)(@jest/transform@29.7.0)(@jest/types@29.6.3)(babel-jest@29.7.0(@babel/core@7.25.2))(esbuild@0.19.12)(jest@29.7.0(@types/node@20.12.5)(babel-plugin-macros@3.1.0))(typescript@5.5.4)
+        version: 29.2.4(@babel/core@7.25.2)(@jest/transform@29.7.0)(@jest/types@29.6.3)(babel-jest@29.7.0(@babel/core@7.25.2))(jest@29.7.0(@types/node@20.12.5)(babel-plugin-macros@3.1.0))(typescript@5.5.4)

  packages/plugin-cloud-storage:
    dependencies:
@@ -1160,7 +1160,7 @@ importers:
        version: link:../payload
      ts-jest:
        specifier: ^29.1.0
-        version: 29.2.4(@babel/core@7.25.2)(@jest/transform@29.7.0)(@jest/types@29.6.3)(babel-jest@29.7.0(@babel/core@7.25.2))(esbuild@0.19.12)(jest@29.7.0(@types/node@20.12.5)(babel-plugin-macros@3.1.0))(typescript@5.5.4)
+        version: 29.2.4(@babel/core@7.25.2)(@jest/transform@29.7.0)(@jest/types@29.6.3)(babel-jest@29.7.0(@babel/core@7.25.2))(jest@29.7.0(@types/node@20.12.5)(babel-plugin-macros@3.1.0))(typescript@5.5.4)

  packages/plugin-seo:
    dependencies:
@@ -1283,6 +1283,9 @@ importers:
      dequal:
        specifier: 2.0.3
        version: 2.0.3
+      escape-html:
+        specifier: 1.0.3
+        version: 1.0.3
      lexical:
        specifier: 0.17.0
        version: 0.17.0
@@ -1329,6 +1332,9 @@ importers:
      '@payloadcms/ui':
        specifier: workspace:*
        version: link:../ui
+      '@types/escape-html':
+        specifier: 1.0.4
+        version: 1.0.4
      '@types/json-schema':
        specifier: 7.0.15
        version: 7.0.15
@@ -1467,7 +1473,7 @@ importers:
        version: link:../plugin-cloud-storage
      uploadthing:
        specifier: ^6.10.1
-        version: 6.13.2(express@4.19.2)(next@15.0.0-canary.104(@babel/core@7.25.2)(@playwright/test@1.46.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@0.0.0-experimental-48eb8f4-20240822)(react-dom@19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801))(react@19.0.0-rc-06d0b89e-20240801)(sass@1.77.4))
+        version: 6.13.2(express@4.19.2)(next@15.0.0-canary.104(@playwright/test@1.46.0)(babel-plugin-macros@3.1.0)(react-dom@19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801))(react@19.0.0-rc-06d0b89e-20240801)(sass@1.77.4))
    devDependencies:
      payload:
        specifier: workspace:*
@@ -1798,7 +1804,7 @@ importers:
        version: 0.17.0
      next:
        specifier: 15.0.0-canary.104
-        version: 15.0.0-canary.104(@babel/core@7.25.2)(@playwright/test@1.46.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@0.0.0-experimental-48eb8f4-20240822)(react-dom@19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801))(react@19.0.0-rc-06d0b89e-20240801)(sass@1.77.4)
+        version: 15.0.0-canary.104(@playwright/test@1.46.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@0.0.0-experimental-48eb8f4-20240822)(react-dom@19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801))(react@19.0.0-rc-06d0b89e-20240801)(sass@1.77.4)
      payload:
        specifier: workspace:*
        version: link:../packages/payload
@@ -1828,7 +1834,7 @@ importers:
        version: 5.5.4
      uploadthing:
        specifier: ^6.10.1
-        version: 6.13.2(express@4.19.2)(next@15.0.0-canary.104(@babel/core@7.25.2)(@playwright/test@1.46.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@0.0.0-experimental-48eb8f4-20240822)(react-dom@19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801))(react@19.0.0-rc-06d0b89e-20240801)(sass@1.77.4))
+        version: 6.13.2(express@4.19.2)(next@15.0.0-canary.104(@playwright/test@1.46.0)(babel-plugin-macros@3.1.0)(react-dom@19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801))(react@19.0.0-rc-06d0b89e-20240801)(sass@1.77.4))
      uuid:
        specifier: 10.0.0
        version: 10.0.0
@@ -7244,7 +7250,6 @@ packages:

  libsql@0.3.19:
    resolution: {integrity: sha512-Aj5cQ5uk/6fHdmeW0TiXK42FqUlwx7ytmMLPSaUQPin5HKKKuUPD62MAbN4OEweGBBI7q1BekoEN4gPUEL6MZA==}
-    cpu: [x64, arm64, wasm32]
    os: [darwin, linux, win32]

  lie@3.1.1:
@@ -16937,6 +16942,36 @@ snapshots:
      - '@babel/core'
      - babel-plugin-macros

+  next@15.0.0-canary.104(@playwright/test@1.46.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@0.0.0-experimental-48eb8f4-20240822)(react-dom@19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801))(react@19.0.0-rc-06d0b89e-20240801)(sass@1.77.4):
+    dependencies:
+      '@next/env': 15.0.0-canary.104
+      '@swc/counter': 0.1.3
+      '@swc/helpers': 0.5.12
+      busboy: 1.6.0
+      caniuse-lite: 1.0.30001651
+      graceful-fs: 4.2.11
+      postcss: 8.4.31
+      react: 19.0.0-rc-06d0b89e-20240801
+      react-dom: 19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801)
+      styled-jsx: 5.1.6(@babel/core@7.25.2)(babel-plugin-macros@3.1.0)(react@19.0.0-rc-06d0b89e-20240801)
+    optionalDependencies:
+      '@next/swc-darwin-arm64': 15.0.0-canary.104
+      '@next/swc-darwin-x64': 15.0.0-canary.104
+      '@next/swc-linux-arm64-gnu': 15.0.0-canary.104
+      '@next/swc-linux-arm64-musl': 15.0.0-canary.104
+      '@next/swc-linux-x64-gnu': 15.0.0-canary.104
+      '@next/swc-linux-x64-musl': 15.0.0-canary.104
+      '@next/swc-win32-arm64-msvc': 15.0.0-canary.104
+      '@next/swc-win32-ia32-msvc': 15.0.0-canary.104
+      '@next/swc-win32-x64-msvc': 15.0.0-canary.104
+      '@playwright/test': 1.46.0
+      babel-plugin-react-compiler: 0.0.0-experimental-48eb8f4-20240822
+      sass: 1.77.4
+      sharp: 0.33.4
+    transitivePeerDependencies:
+      - '@babel/core'
+      - babel-plugin-macros
+
  nice-napi@1.0.2:
    dependencies:
      node-addon-api: 3.2.1
@@ -18529,7 +18564,7 @@ snapshots:
    dependencies:
      typescript: 5.5.4

-  ts-jest@29.2.4(@babel/core@7.25.2)(@jest/transform@29.7.0)(@jest/types@29.6.3)(babel-jest@29.7.0(@babel/core@7.25.2))(esbuild@0.19.12)(jest@29.7.0(@types/node@20.12.5)(babel-plugin-macros@3.1.0))(typescript@5.5.4):
+  ts-jest@29.2.4(@babel/core@7.25.2)(@jest/transform@29.7.0)(@jest/types@29.6.3)(babel-jest@29.7.0(@babel/core@7.25.2))(jest@29.7.0(@types/node@20.12.5)(babel-plugin-macros@3.1.0))(typescript@5.5.4):
    dependencies:
      bs-logger: 0.2.6
      ejs: 3.1.10
@@ -18547,7 +18582,6 @@ snapshots:
      '@jest/transform': 29.7.0
      '@jest/types': 29.6.3
      babel-jest: 29.7.0(@babel/core@7.25.2)
-      esbuild: 0.19.12

  tslib@1.14.1: {}

@@ -18715,7 +18749,7 @@ snapshots:
      escalade: 3.1.2
      picocolors: 1.0.1

-  uploadthing@6.13.2(express@4.19.2)(next@15.0.0-canary.104(@babel/core@7.25.2)(@playwright/test@1.46.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@0.0.0-experimental-48eb8f4-20240822)(react-dom@19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801))(react@19.0.0-rc-06d0b89e-20240801)(sass@1.77.4)):
+  uploadthing@6.13.2(express@4.19.2)(next@15.0.0-canary.104(@playwright/test@1.46.0)(babel-plugin-macros@3.1.0)(react-dom@19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801))(react@19.0.0-rc-06d0b89e-20240801)(sass@1.77.4)):
    dependencies:
      '@effect/schema': 0.68.12(effect@3.4.5)
      '@uploadthing/mime-types': 0.2.10
@@ -18725,7 +18759,7 @@ snapshots:
      std-env: 3.7.0
    optionalDependencies:
      express: 4.19.2
-      next: 15.0.0-canary.104(@babel/core@7.25.2)(@playwright/test@1.46.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@0.0.0-experimental-48eb8f4-20240822)(react-dom@19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801))(react@19.0.0-rc-06d0b89e-20240801)(sass@1.77.4)
+      next: 15.0.0-canary.104(@playwright/test@1.46.0)(babel-plugin-macros@3.1.0)(babel-plugin-react-compiler@0.0.0-experimental-48eb8f4-20240822)(react-dom@19.0.0-rc-06d0b89e-20240801(react@19.0.0-rc-06d0b89e-20240801))(react@19.0.0-rc-06d0b89e-20240801)(sass@1.77.4)

  uri-js@4.4.1:
    dependencies:
--- a/test/fields/payload-types.ts
+++ b/test/fields/payload-types.ts
@@ -77,6 +77,7 @@ export interface Config {
 export interface UserAuthOperations {
  forgotPassword: {
    email: string;
+    password: string;
  };
  login: {
    email: string;
@@ -88,6 +89,7 @@ export interface UserAuthOperations {
  };
  unlock: {
    email: string;
+    password: string;
  };
 }
 /**