fix: replace isomorphic-dompurify with sanitize-html in server component (#7002)

2026-02-21 10:08:34 -06:00 · 2025-12-18 23:34:56 -08:00
parent 13b983b3b2
commit befdc078f1
3 changed files with 51 additions and 8 deletions
--- a/apps/web/modules/survey/follow-ups/components/follow-up-email.tsx
+++ b/apps/web/modules/survey/follow-ups/components/follow-up-email.tsx
@@ -1,6 +1,6 @@
 import { Column, Hr, Row, Text } from "@react-email/components";
-import dompurify from "isomorphic-dompurify";
 import React from "react";
+import sanitizeHtml from "sanitize-html";
 import { TSurveyFollowUp } from "@formbricks/database/types/survey-follow-up";
 import { TResponse } from "@formbricks/types/responses";
 import { TSurvey } from "@formbricks/types/surveys/types";
@@ -35,11 +35,16 @@ export async function FollowUpEmail(props: FollowUpEmailProps): Promise<React.JS
      <>
        <div
          dangerouslySetInnerHTML={{
-            __html: dompurify.sanitize(body, {
-              ALLOWED_TAGS: ["p", "span", "b", "strong", "i", "em", "a", "br"],
-              ALLOWED_ATTR: ["href", "rel", "dir", "class"],
-              ALLOWED_URI_REGEXP: /^https?:\/\//, // Only allow safe URLs starting with http or https
-              ADD_ATTR: ["target"], // Optional: Allow 'target' attribute for links (e.g., _blank)
+            __html: sanitizeHtml(body, {
+              allowedTags: ["p", "span", "b", "strong", "i", "em", "a", "br"],
+              allowedAttributes: {
+                a: ["href", "rel", "target"],
+                "*": ["dir", "class"],
+              },
+              allowedSchemes: ["http", "https"],
+              allowedSchemesByTag: {
+                a: ["http", "https"],
+              },
            }),
          }}
        />
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -72,8 +72,8 @@
    "@radix-ui/react-tooltip": "1.2.6",
    "@react-email/components": "0.0.38",
    "@sentry/nextjs": "10.5.0",
-    "@tailwindcss/forms": "0.5.10",
    "@t3-oss/env-nextjs": "0.13.4",
+    "@tailwindcss/forms": "0.5.10",
    "@tailwindcss/typography": "0.5.16",
    "@tanstack/react-table": "8.21.3",
    "@ungap/structured-clone": "1.3.0",
@@ -111,16 +111,17 @@
    "prismjs": "1.30.0",
    "qr-code-styling": "1.9.2",
    "qrcode": "1.5.4",
+    "react-calendar": "5.1.0",
    "react-colorful": "5.6.1",
    "react-confetti": "6.4.0",
    "react-day-picker": "9.6.7",
    "react-hook-form": "7.56.2",
    "react-hot-toast": "2.5.2",
-    "react-calendar": "5.1.0",
    "react-i18next": "15.7.3",
    "react-turnstile": "1.1.4",
    "react-use": "17.6.0",
    "redis": "4.7.0",
+    "sanitize-html": "2.17.0",
    "server-only": "0.0.1",
    "sharp": "0.34.1",
    "stripe": "16.12.0",
@@ -148,6 +149,7 @@
    "@types/nodemailer": "7.0.2",
    "@types/papaparse": "5.3.15",
    "@types/qrcode": "1.5.5",
+    "@types/sanitize-html": "2.16.0",
    "@types/testing-library__react": "10.2.0",
    "@types/ungap__structured-clone": "1.2.0",
    "@vitest/coverage-v8": "3.1.3",