feedback

adds tests
excel sanitization
2026-05-20 19:48:52 -05:00 · 2026-05-20 12:40:30 +05:30 · 2026-05-19 13:48:30 +05:30 · 2026-05-19 12:41:06 +05:30
29 changed files with 204 additions and 259 deletions
@@ -194,7 +194,7 @@ export const MainNavigation = ({
  const settingsNavigationItem = useMemo(
    () => ({
      name: t("common.settings"),
-      href: `/workspaces/${workspace.id}/settings/workspace/general`,
+      href: `/workspaces/${workspace.id}/settings`,
      icon: SettingsIcon,
      isActive: isSettingsMode,
      disabled: isMembershipPending || isBilling,
@@ -467,7 +467,7 @@ export const MainNavigation = ({
          {isSettingsMode ? (
            <div className="flex flex-col overflow-hidden">
              <div className="mb-2 px-3">
-                <GoBackButton url={`/workspaces/${workspace.id}/surveys`} />
+                <GoBackButton />
              </div>

              {/* Settings sidebar content */}
@@ -335,7 +335,6 @@ export const SettingsSidebarContent = ({
      href: `${basePath}/organization/feedback-directories`,
      icon: <FoldersIcon className={iconClassName} />,
      hidden: isMember,
-      disabled: !isOwnerOrManager,
    },
    {
      id: "org-api-keys",
@@ -374,14 +373,12 @@ export const SettingsSidebarContent = ({
      label: t("common.your_profile"),
      href: `${basePath}/account/profile`,
      icon: <UserCircleIcon className={iconClassName} />,
-      disabled: isBilling,
    },
    {
      id: "notifications",
      label: t("common.notifications"),
      href: `${basePath}/account/notifications`,
      icon: <BellIcon className={iconClassName} />,
-      disabled: isBilling,
    },
  ];

@@ -1,11 +1,4 @@
-import { redirectBillingRoleFromRestrictedSettings } from "@/app/(app)/workspaces/[workspaceId]/settings/lib/redirect-billing-role";
-
-const AccountSettingsLayout = async (props: Readonly<{
-  params: Promise<{ workspaceId: string }>;
-  children: React.ReactNode;
-}>) => {
-  const params = await props.params;
-  await redirectBillingRoleFromRestrictedSettings(params.workspaceId);
+const AccountSettingsLayout = (props: { children: React.ReactNode }) => {
  return <>{props.children}</>;
 };

@@ -1,54 +0,0 @@
-import { redirect } from "next/navigation";
-import { describe, expect, test, vi } from "vitest";
-import { getBillingFallbackPath } from "@/lib/membership/navigation";
-import { getWorkspaceAuth } from "@/modules/workspaces/lib/utils";
-import { redirectBillingRoleFromRestrictedSettings } from "./redirect-billing-role";
-
-const mocks = vi.hoisted(() => ({
-  getBillingFallbackPath: vi.fn(),
-  getWorkspaceAuth: vi.fn(),
-  isFormbricksCloud: false,
-}));
-
-vi.mock("@/lib/constants", () => ({
-  IS_FORMBRICKS_CLOUD: mocks.isFormbricksCloud,
-}));
-
-vi.mock("@/lib/membership/navigation", () => ({
-  getBillingFallbackPath: mocks.getBillingFallbackPath,
-}));
-
-vi.mock("@/modules/workspaces/lib/utils", () => ({
-  getWorkspaceAuth: mocks.getWorkspaceAuth,
-}));
-
-const workspaceId = "workspace-1";
-const billingFallbackPath = `/workspaces/${workspaceId}/settings/organization/billing`;
-
-const getWorkspaceAuthResponse = (isBilling: boolean) =>
-  ({
-    isBilling,
-  }) as Awaited<ReturnType<typeof getWorkspaceAuth>>;
-
-describe("redirectBillingRoleFromRestrictedSettings", () => {
-  test("does not redirect non-billing workspace members", async () => {
-    vi.mocked(getWorkspaceAuth).mockResolvedValue(getWorkspaceAuthResponse(false));
-
-    await expect(redirectBillingRoleFromRestrictedSettings(workspaceId)).resolves.toBeUndefined();
-
-    expect(getWorkspaceAuth).toHaveBeenCalledWith(workspaceId);
-    expect(getBillingFallbackPath).not.toHaveBeenCalled();
-    expect(redirect).not.toHaveBeenCalled();
-  });
-
-  test("redirects billing users to the billing fallback path", async () => {
-    vi.mocked(getWorkspaceAuth).mockResolvedValue(getWorkspaceAuthResponse(true));
-    vi.mocked(getBillingFallbackPath).mockReturnValue(billingFallbackPath);
-
-    await redirectBillingRoleFromRestrictedSettings(workspaceId);
-
-    expect(getWorkspaceAuth).toHaveBeenCalledWith(workspaceId);
-    expect(getBillingFallbackPath).toHaveBeenCalledWith(workspaceId, mocks.isFormbricksCloud);
-    expect(redirect).toHaveBeenCalledWith(billingFallbackPath);
-  });
-});
@@ -1,12 +0,0 @@
-import { redirect } from "next/navigation";
-import { IS_FORMBRICKS_CLOUD } from "@/lib/constants";
-import { getBillingFallbackPath } from "@/lib/membership/navigation";
-import { getWorkspaceAuth } from "@/modules/workspaces/lib/utils";
-
-export const redirectBillingRoleFromRestrictedSettings = async (workspaceId: string): Promise<void> => {
-  const { isBilling } = await getWorkspaceAuth(workspaceId);
-
-  if (isBilling) {
-    redirect(getBillingFallbackPath(workspaceId, IS_FORMBRICKS_CLOUD));
-  }
-};
@@ -1,11 +1,3 @@
-import { redirectBillingRoleFromRestrictedSettings } from "@/app/(app)/workspaces/[workspaceId]/settings/lib/redirect-billing-role";
 import { APIKeysPage } from "@/modules/organization/settings/api-keys/page";

-const Page = async (props: Readonly<{ params: Promise<{ workspaceId: string }> }>) => {
-  const params = await props.params;
-  await redirectBillingRoleFromRestrictedSettings(params.workspaceId);
-
-  return APIKeysPage(props);
-};
-
-export default Page;
+export default APIKeysPage;
@@ -1,18 +1,3 @@
-import { redirect } from "next/navigation";
-import { IS_FORMBRICKS_CLOUD } from "@/lib/constants";
-import { getBillingFallbackPath } from "@/lib/membership/navigation";
 import { PricingPage } from "@/modules/ee/billing/page";
-import { getWorkspaceAuth } from "@/modules/workspaces/lib/utils";

-const Page = async (props: Readonly<{ params: Promise<{ workspaceId: string }> }>) => {
-  const params = await props.params;
-  const { isBilling } = await getWorkspaceAuth(params.workspaceId);
-
-  if (isBilling && !IS_FORMBRICKS_CLOUD) {
-    redirect(getBillingFallbackPath(params.workspaceId, IS_FORMBRICKS_CLOUD));
-  }
-
-  return PricingPage(props);
-};
-
-export default Page;
+export default PricingPage;
@@ -1,7 +1,6 @@
 import { notFound } from "next/navigation";
 import { AuthenticationError } from "@formbricks/types/errors";
 import { SettingsCard } from "@/app/(app)/workspaces/[workspaceId]/settings/components/SettingsCard";
-import { redirectBillingRoleFromRestrictedSettings } from "@/app/(app)/workspaces/[workspaceId]/settings/lib/redirect-billing-role";
 import { PrettyUrlsTable } from "@/app/(app)/workspaces/[workspaceId]/settings/organization/domain/components/pretty-urls-table";
 import { IS_FORMBRICKS_CLOUD, IS_STORAGE_CONFIGURED } from "@/lib/constants";
 import { getTranslate } from "@/lingodotdev/server";
@@ -13,9 +12,8 @@ import { PageContentWrapper } from "@/modules/ui/components/page-content-wrapper
 import { PageHeader } from "@/modules/ui/components/page-header";
 import { getWorkspaceAuth } from "@/modules/workspaces/lib/utils";

-const Page = async (props: Readonly<{ params: Promise<{ workspaceId: string }> }>) => {
+const Page = async (props: { params: Promise<{ workspaceId: string }> }) => {
  const params = await props.params;
-  await redirectBillingRoleFromRestrictedSettings(params.workspaceId);
  const t = await getTranslate();

  if (IS_FORMBRICKS_CLOUD) {
@@ -1,10 +1,9 @@
 import { CheckIcon } from "lucide-react";
 import Link from "next/link";
-import { notFound, redirect } from "next/navigation";
+import { notFound } from "next/navigation";
 import { EnterpriseLicenseFeaturesTable } from "@/app/(app)/workspaces/[workspaceId]/settings/organization/enterprise/components/EnterpriseLicenseFeaturesTable";
 import { EnterpriseLicenseStatus } from "@/app/(app)/workspaces/[workspaceId]/settings/organization/enterprise/components/EnterpriseLicenseStatus";
 import { ENTERPRISE_LICENSE_REQUEST_FORM_URL, IS_FORMBRICKS_CLOUD } from "@/lib/constants";
-import { getBillingFallbackPath } from "@/lib/membership/navigation";
 import { getTranslate } from "@/lingodotdev/server";
 import { GRACE_PERIOD_MS, getEnterpriseLicense } from "@/modules/ee/license-check/lib/license";
 import { Button } from "@/modules/ui/components/button";
@@ -12,19 +11,15 @@ import { PageContentWrapper } from "@/modules/ui/components/page-content-wrapper
 import { PageHeader } from "@/modules/ui/components/page-header";
 import { getWorkspaceAuth } from "@/modules/workspaces/lib/utils";

-const Page = async (props: Readonly<{ params: Promise<{ workspaceId: string }> }>) => {
+const Page = async (props: { params: Promise<{ workspaceId: string }> }) => {
  const params = await props.params;
  const t = await getTranslate();
-  const { isBilling, isMember } = await getWorkspaceAuth(params.workspaceId);
-
-  if (isBilling && IS_FORMBRICKS_CLOUD) {
-    redirect(getBillingFallbackPath(params.workspaceId, IS_FORMBRICKS_CLOUD));
-  }
-
  if (IS_FORMBRICKS_CLOUD) {
    return notFound();
  }

+  const { isMember } = await getWorkspaceAuth(params.workspaceId);
+
  const isPricingDisabled = isMember;

  if (isPricingDisabled) {
@@ -1,11 +1 @@
-import { redirectBillingRoleFromRestrictedSettings } from "@/app/(app)/workspaces/[workspaceId]/settings/lib/redirect-billing-role";
-import { FeedbackDirectoriesPage } from "@/modules/ee/feedback-directory/page";
-
-const Page = async (props: Readonly<{ params: Promise<{ workspaceId: string }> }>) => {
-  const params = await props.params;
-  await redirectBillingRoleFromRestrictedSettings(params.workspaceId);
-
-  return FeedbackDirectoriesPage(props);
-};
-
-export default Page;
+export { FeedbackDirectoriesPage as default } from "@/modules/ee/feedback-directory/page";
@@ -1,4 +1,3 @@
-import { redirectBillingRoleFromRestrictedSettings } from "@/app/(app)/workspaces/[workspaceId]/settings/lib/redirect-billing-role";
 import { isInstanceAIConfigured } from "@/lib/ai/service";
 import {
  ENTERPRISE_LICENSE_REQUEST_FORM_URL,
@@ -27,9 +26,8 @@ import { DeleteOrganization } from "./components/DeleteOrganization";
 import { EditOrganizationNameForm } from "./components/EditOrganizationNameForm";
 import { SecurityListTip } from "./components/SecurityListTip";

-const Page = async (props: Readonly<{ params: Promise<{ workspaceId: string }> }>) => {
+const Page = async (props: { params: Promise<{ workspaceId: string }> }) => {
  const params = await props.params;
-  await redirectBillingRoleFromRestrictedSettings(params.workspaceId);
  const t = await getTranslate();

  const { session, currentUserMembership, organization, isOwner, isManager } = await getWorkspaceAuth(
@@ -1,11 +1,3 @@
-import { redirectBillingRoleFromRestrictedSettings } from "@/app/(app)/workspaces/[workspaceId]/settings/lib/redirect-billing-role";
 import { TeamsPage } from "@/modules/organization/settings/teams/page";

-const Page = async (props: Readonly<{ params: Promise<{ workspaceId: string }> }>) => {
-  const params = await props.params;
-  await redirectBillingRoleFromRestrictedSettings(params.workspaceId);
-
-  return TeamsPage(props);
-};
-
-export default Page;
+export default TeamsPage;
@@ -1,9 +1,7 @@
 import { redirect } from "next/navigation";
-import { redirectBillingRoleFromRestrictedSettings } from "@/app/(app)/workspaces/[workspaceId]/settings/lib/redirect-billing-role";

-const Page = async (props: Readonly<{ params: Promise<{ workspaceId: string }> }>) => {
+const Page = async (props: { params: Promise<{ workspaceId: string }> }) => {
  const params = await props.params;
-  await redirectBillingRoleFromRestrictedSettings(params.workspaceId);
  return redirect(`/workspaces/${params.workspaceId}/settings/workspace/general`);
 };

@@ -11,7 +11,6 @@ import {
  ContactIcon,
  EyeOff,
  FlagIcon,
-  GaugeIcon,
  GlobeIcon,
  GridIcon,
  HashIcon,
@@ -26,7 +25,6 @@ import {
  NetworkIcon,
  PieChartIcon,
  Rows3Icon,
-  SmilePlusIcon,
  SmartphoneIcon,
  StarIcon,
  User,
@@ -105,8 +103,6 @@ const elementIcons = {
  [TSurveyElementTypeEnum.PictureSelection]: ImageIcon,
  [TSurveyElementTypeEnum.Matrix]: GridIcon,
  [TSurveyElementTypeEnum.Ranking]: ListOrderedIcon,
-  [TSurveyElementTypeEnum.CSAT]: SmilePlusIcon,
-  [TSurveyElementTypeEnum.CES]: GaugeIcon,
  [TSurveyElementTypeEnum.Address]: HomeIcon,
  [TSurveyElementTypeEnum.ContactInfo]: ContactIcon,

@@ -103,7 +103,6 @@ describe("getWorkspaceStateData", () => {
        id: workspaceId,
        appSetupCompleted: true,
        workspaceSettings: {
-          id: workspaceId,
          recontactDays: 30,
          clickOutsideClose: true,
          overlay: "none",
@@ -112,14 +111,7 @@ describe("getWorkspaceStateData", () => {
          styling: { allowStyleOverwrite: false },
        },
      },
-      // `survey.name` is replaced with a back-compat placeholder; segment was
-      // null in the mock so the sanitized segment stays null.
-      surveys: [
-        {
-          ...mockWorkspaceData.surveys[0],
-          name: "[deprecated] survey name omitted from public API - will be removed soon",
-        },
-      ],
+      surveys: mockWorkspaceData.surveys,
      actionClasses: mockWorkspaceData.actionClasses,
    });

@@ -219,7 +211,6 @@ describe("getWorkspaceStateData", () => {
    const result = await getWorkspaceStateData(workspaceId);

    expect(result.workspace.workspaceSettings).toEqual({
-      id: workspaceId,
      recontactDays: 14,
      clickOutsideClose: false,
      overlay: "dark",
@@ -42,7 +42,6 @@ export const getWorkspaceStateData = async (workspaceId: string): Promise<Worksp
      where: { id: workspaceId },
      select: {
        id: true,
-        legacyEnvironmentId: true,
        appSetupCompleted: true,
        recontactDays: true,
        clickOutsideClose: true,
@@ -73,9 +72,7 @@ export const getWorkspaceStateData = async (workspaceId: string): Promise<Worksp
          select: {
            id: true,
            welcomeCard: true,
-            // `name` deliberately not selected — internal label not needed by the
-            // SDK and replaced with a fixed placeholder below so older SDKs that
-            // decoded `Survey.name` as a required field keep working.
+            // name intentionally omitted — internal label not needed by the SDK
            questions: true,
            blocks: true,
            variables: true,
@@ -102,9 +99,9 @@ export const getWorkspaceStateData = async (workspaceId: string): Promise<Worksp
            styling: true,
            status: true,
            recaptcha: true,
-            // Only need to know if any filters exist so we can compute
-            // `hasFilters`. Real filter values, segment title/description, and
-            // surveys-list relation are never exposed to clients.
+            // Fetch only what's needed to compute the minimal segment shape.
+            // Titles, descriptions, and filter conditions are evaluated server-side
+            // and must not be sent to the browser.
            segment: {
              select: {
                id: true,
@@ -138,46 +135,17 @@ export const getWorkspaceStateData = async (workspaceId: string): Promise<Worksp
      throw new ResourceNotFoundError("workspace", workspaceId);
    }

-    // Backwards-compat response shape for SDKs from before PR #7931. Those
-    // clients decoded `survey.name` and the full `segment` object as required
-    // fields, so the response must still carry that shape — but every field
-    // that could leak sensitive targeting data is replaced with a placeholder.
-    // The actual segment-membership check happens server-side (segment IDs in
-    // POST /user); SDKs only inspect `filters.length` / `hasFilters` locally.
-    //
-    // `environmentId` mirrors `legacyEnvironmentId ?? workspace.id`, matching
-    // the `/me` endpoints' pattern so migrated workspaces keep returning the
-    // original env ID older clients persisted.
-    const legacyOrCurrentId = workspaceData.legacyEnvironmentId ?? workspaceData.id;
-    const placeholderDate = new Date(0);
-    const placeholderFilter = {
-      id: "placeholder",
-      connector: null,
-      resource: {
-        id: "placeholder",
-        root: { type: "device", deviceType: "phone" },
-        value: "deprecated",
-        qualifier: { operator: "equals" },
-      },
-    };
-
+    // Transform surveys using the shared utility, then replace the segment with
+    // the minimal public shape (id + hasFilters). We null out segment before
+    // calling transformPrismaSurvey because that function expects a surveys[]
+    // relation on the segment object (used by the management API), which we
+    // intentionally don't fetch here.
    const transformedSurveys = workspaceData.surveys.map((survey) => {
-      const realHasFilters =
-        Array.isArray(survey.segment?.filters) && (survey.segment.filters as unknown[]).length > 0;
-
-      const sanitizedSegment = survey.segment
+      const minimalSegment = survey.segment
        ? {
            id: survey.segment.id,
-            title: "[deprecated] segment title omitted from public API - will be removed soon",
-            description: null,
-            isPrivate: true,
-            filters: realHasFilters ? [placeholderFilter] : [],
-            environmentId: legacyOrCurrentId,
-            workspaceId: legacyOrCurrentId,
-            createdAt: placeholderDate,
-            updatedAt: placeholderDate,
-            surveys: [],
-            hasFilters: realHasFilters,
+            hasFilters:
+              Array.isArray(survey.segment.filters) && (survey.segment.filters as unknown[]).length > 0,
          }
        : null;

@@ -187,11 +155,7 @@ export const getWorkspaceStateData = async (workspaceId: string): Promise<Worksp
        segment: null,
      });

-      return {
-        ...transformed,
-        name: "[deprecated] survey name omitted from public API - will be removed soon",
-        segment: sanitizedSegment,
-      };
+      return { ...transformed, segment: minimalSegment };
    });

    return {
@@ -199,7 +163,6 @@ export const getWorkspaceStateData = async (workspaceId: string): Promise<Worksp
        id: workspaceData.id,
        appSetupCompleted: workspaceData.appSetupCompleted,
        workspaceSettings: {
-          id: workspaceData.id,
          recontactDays: workspaceData.recontactDays,
          clickOutsideClose: workspaceData.clickOutsideClose,
          overlay: workspaceData.overlay,
@@ -208,11 +171,7 @@ export const getWorkspaceStateData = async (workspaceId: string): Promise<Worksp
          styling: resolveStorageUrlsInObject(workspaceData.styling),
        },
      },
-      // The runtime shape carries extra back-compat fields (placeholder
-      // segment, `hasFilters`, mirrored `environmentId`) that aren't part of
-      // the modern `TJsWorkspaceStateSurvey`. Cast through unknown — this is
-      // intentional and only this endpoint's response widens the type.
-      surveys: resolveStorageUrlsInObject(transformedSurveys) as unknown as TJsWorkspaceStateSurvey[],
+      surveys: resolveStorageUrlsInObject(transformedSurveys),
      actionClasses: workspaceData.actionClasses,
    };
  } catch (error) {
@@ -104,11 +104,7 @@ export const createResponse = async (

    const ttc = initialTtc ? (finished ? calculateTtcTotal(initialTtc) : initialTtc) : {};

-    const prismaData = buildPrismaResponseData(
-      { ...responseInput, createdAt: undefined, updatedAt: undefined },
-      contact,
-      ttc
-    );
+    const prismaData = buildPrismaResponseData(responseInput, contact, ttc);

    const prismaClient = tx ?? prisma;

@@ -49,7 +49,18 @@ const buildPrismaResponseData = (
  contact: { id: string; attributes: TContactAttributes } | null,
  ttc: Record<string, number>
 ): Prisma.ResponseCreateInput => {
-  const { surveyId, displayId, finished, data, language, meta, singleUseId, variables } = responseInput;
+  const {
+    surveyId,
+    displayId,
+    finished,
+    data,
+    language,
+    meta,
+    singleUseId,
+    variables,
+    createdAt,
+    updatedAt,
+  } = responseInput;

  return {
    survey: {
@@ -73,6 +84,8 @@ const buildPrismaResponseData = (
    singleUseId,
    ...(variables && { variables }),
    ttc: ttc,
+    createdAt,
+    updatedAt,
  };
 };

@@ -38,6 +38,50 @@ describe("convertToCsv", () => {

    parseSpy.mockRestore();
  });
+
+  test("should defang formula injection payloads in cell values", async () => {
+    const payloads = [
+      '=HYPERLINK("https://evil.tld","Click")',
+      "+1+1",
+      "-2+3",
+      "@SUM(A1:A2)",
+      "\tleading-tab",
+      "\rleading-cr",
+    ];
+    const rows = payloads.map((p) => ({ name: p, age: 0 }));
+    const csv = await convertToCsv(["name", "age"], rows);
+    const lines = csv.trim().split("\n").slice(1); // drop header
+    payloads.forEach((p, i) => {
+      // each value should be prefixed with a single quote so the spreadsheet
+      // app treats it as text rather than a formula
+      expect(lines[i].startsWith(`"'${p.charAt(0)}`)).toBe(true);
+    });
+  });
+
+  test("should defang formula injection in field/header names", async () => {
+    const csv = await convertToCsv(["=evil", "age"], [{ "=evil": "x", age: 1 }]);
+    const lines = csv.trim().split("\n");
+    expect(lines[0]).toBe('"\'=evil","age"');
+    expect(lines[1]).toBe('"x",1');
+  });
+
+  test("should not alter benign strings", async () => {
+    const csv = await convertToCsv(["name"], [{ name: "Alice = Bob" }]);
+    const lines = csv.trim().split("\n");
+    expect(lines[1]).toBe('"Alice = Bob"');
+  });
+
+  test("should preserve distinct columns whose labels collide after sanitization", async () => {
+    // "=field" and "'=field" both render as "'=field" once defanged, but the
+    // underlying row keys must stay distinct so neither cell is dropped.
+    const csv = await convertToCsv(
+      ["=field", "'=field"],
+      [{ "=field": "a", "'=field": "b" }]
+    );
+    const lines = csv.trim().split("\n");
+    expect(lines[0]).toBe('"\'=field","\'=field"');
+    expect(lines[1]).toBe('"a","b"');
+  });
 });

 describe("convertToXlsxBuffer", () => {
@@ -60,4 +104,54 @@ describe("convertToXlsxBuffer", () => {
    const cleaned = raw.map(({ __rowNum__, ...rest }) => rest);
    expect(cleaned).toEqual(data);
  });
+
+  test("should defang formula injection payloads in xlsx cells", () => {
+    const payloads = [
+      '=HYPERLINK("https://evil.tld","Click")',
+      "+1+1",
+      "-2+3",
+      "@SUM(A1:A2)",
+      "\tleading-tab",
+      "\rleading-cr",
+    ];
+    const rows = payloads.map((p) => ({ name: p }));
+    const buffer = convertToXlsxBuffer(["name"], rows);
+    const wb = xlsx.read(buffer, { type: "buffer" });
+    const sheet = wb.Sheets["Sheet1"];
+    payloads.forEach((p, i) => {
+      const cell = sheet[`A${i + 2}`]; // row 1 is header
+      // value stored as plain text, not as a formula (no `f` property)
+      expect(cell.f).toBeUndefined();
+      expect(cell.v).toBe(`'${p}`);
+    });
+  });
+
+  test("should defang formula injection in xlsx header names", () => {
+    const buffer = convertToXlsxBuffer(["=evil", "name"], [{ "=evil": "x", name: "Alice" }]);
+    const wb = xlsx.read(buffer, { type: "buffer" });
+    const sheet = wb.Sheets["Sheet1"];
+    const headerCell = sheet["A1"];
+    expect(headerCell.f).toBeUndefined();
+    expect(headerCell.v).toBe("'=evil");
+    // benign header untouched
+    expect(sheet["B1"].v).toBe("name");
+    // data row mapped via original key
+    expect(sheet["A2"].v).toBe("x");
+    expect(sheet["B2"].v).toBe("Alice");
+  });
+
+  test("should preserve distinct xlsx columns whose labels collide after sanitization", () => {
+    // Original keys "=field" and "'=field" both render as "'=field"; ensure
+    // both cells survive instead of one overwriting the other.
+    const buffer = convertToXlsxBuffer(
+      ["=field", "'=field"],
+      [{ "=field": "a", "'=field": "b" }]
+    );
+    const wb = xlsx.read(buffer, { type: "buffer" });
+    const sheet = wb.Sheets["Sheet1"];
+    expect(sheet["A1"].v).toBe("'=field");
+    expect(sheet["B1"].v).toBe("'=field");
+    expect(sheet["A2"].v).toBe("a");
+    expect(sheet["B2"].v).toBe("b");
+  });
 });
@@ -2,11 +2,30 @@ import { AsyncParser } from "@json2csv/node";
 import * as xlsx from "xlsx";
 import { logger } from "@formbricks/logger";

+// Defang spreadsheet formula injection. Cell values starting with
+// =, +, -, @, tab, or CR are evaluated as formulas by Excel/Sheets/Numbers.
+// Sanitize at the render boundary only — never rewrite row keys, since
+// distinct user-controlled labels could collide after prefixing (e.g.
+// "=field" and "'=field" both map to "'=field"), dropping cell data.
+const FORMULA_TRIGGER = /^[=+\-@\t\r]/;
+
+const sanitizeFormulaInjection = <T>(value: T): T => {
+  if (typeof value === "string" && FORMULA_TRIGGER.test(value)) {
+    return `'${value}` as T;
+  }
+  return value;
+};
+
 export const convertToCsv = async (fields: string[], jsonData: Record<string, string | number>[]) => {
  let csv: string = "";

+  // Field descriptors preserve the original lookup key while overriding the
+  // rendered label and cell value with sanitized versions.
  const parser = new AsyncParser({
-    fields,
+    fields: fields.map((name) => ({
+      label: sanitizeFormulaInjection(name),
+      value: (row: Record<string, string | number>) => sanitizeFormulaInjection(row[name]),
+    })),
  });

  try {
@@ -23,8 +42,13 @@ export const convertToXlsxBuffer = (
  fields: string[],
  jsonData: Record<string, string | number>[]
 ): Buffer => {
+  // Build as array-of-arrays so original row keys are looked up before
+  // sanitization is applied to the rendered header/cell only.
+  const headerRow = fields.map(sanitizeFormulaInjection);
+  const dataRows = jsonData.map((row) => fields.map((name) => sanitizeFormulaInjection(row[name])));
+
  const wb = xlsx.utils.book_new();
-  const ws = xlsx.utils.json_to_sheet(jsonData, { header: fields });
+  const ws = xlsx.utils.aoa_to_sheet([headerRow, ...dataRows]);
  xlsx.utils.book_append_sheet(wb, ws, "Sheet1");
  return xlsx.write(wb, { type: "buffer", bookType: "xlsx" });
 };
@@ -5,14 +5,9 @@ import { useRouter } from "next/navigation";
 import { useTranslation } from "react-i18next";
 import { Button } from "@/modules/ui/components/button";

-interface GoBackButtonProps {
-  url?: string;
-}
-
-export const GoBackButton = ({ url }: Readonly<GoBackButtonProps>) => {
+export const GoBackButton = ({ url }: { url?: string }) => {
  const router = useRouter();
  const { t } = useTranslation();
-
  return (
    <Button
      size="sm"
@@ -22,7 +17,6 @@ export const GoBackButton = ({ url }: Readonly<GoBackButtonProps>) => {
          router.push(url);
          return;
        }
-
        router.back();
      }}>
      <ArrowLeftIcon />
@@ -92,26 +92,6 @@ This function allows rendering values dynamically.
    {{- end }}
 {{- end }}

-{{/*
-Render a Kubernetes EnvVar from chart env maps.
-Scalar values become quoted string values. Map values are rendered as EnvVar fields,
-which keeps advanced forms such as valueFrom supported.
-*/}}
-{{- define "formbricks.envVarValue" -}}
-{{- $value := .value -}}
-{{- if kindIs "map" $value -}}
-{{- include "formbricks.tplvalues.render" (dict "value" $value "context" .context) -}}
-{{- else if kindIs "invalid" $value -}}
-value: ""
-{{- else -}}
-value: {{ include "formbricks.tplvalues.render" (dict "value" (toString $value) "context" .context) | trim | quote }}
-{{- end -}}
-{{- end }}
-
-{{- define "formbricks.envVar" -}}
- name: {{ include "formbricks.tplvalues.render" (dict "value" .name "context" .context) }}
-  {{- include "formbricks.envVarValue" (dict "value" .value "context" .context) | nindent 2 }}
-{{- end }}

 {{/*
 Allow the release namespace to be overridden.
@@ -97,7 +97,12 @@ spec:
          {{- end }}
          env:
            {{- range $key, $value := .Values.cube.env }}
-            {{- include "formbricks.envVar" (dict "name" $key "value" $value "context" $) | nindent 12 }}
+            - name: {{ include "formbricks.tplvalues.render" ( dict "value" $key "context" $ ) }}
+              {{- if kindIs "string" $value }}
+              value: {{ include "formbricks.tplvalues.render" ( dict "value" $value "context" $ ) | quote }}
+              {{- else }}
+              {{- toYaml $value | nindent 14 }}
+              {{- end }}
            {{- end }}
          volumeMounts:
            - name: cube-config
@@ -136,7 +136,12 @@ spec:
              value: "http://{{ include "formbricks.hubname" . }}:8080"
            {{- end }}
            {{- range $key, $value := .Values.deployment.env }}
-            {{- include "formbricks.envVar" (dict "name" $key "value" $value "context" $) | nindent 12 }}
+            - name: {{ include "formbricks.tplvalues.render" ( dict "value" $key "context" $ ) }}
+              {{- if kindIs "string" $value }}
+              value: {{ include "formbricks.tplvalues.render" ( dict "value" $value "context" $ ) | quote }}
+              {{- else }}
+              {{- toYaml $value | nindent 14 }}
+              {{- end }}
            {{- end }}
          {{- if .Values.deployment.resources }}
          resources:
@@ -73,7 +73,8 @@ spec:
            {{- include "formbricks.hubEmbeddingEnv" (dict "root" $ "env" .Values.hub.env) | nindent 12 }}
            {{- range $key, $value := .Values.hub.env }}
            {{- if not (and $.Values.hub.embeddings.enabled (include "formbricks.hubEmbeddingEnvManaged" (dict "key" $key))) }}
-            {{- include "formbricks.envVar" (dict "name" $key "value" $value "context" $) | nindent 12 }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
            {{- end }}
            {{- end }}
          {{- if .Values.hub.resources }}
@@ -129,7 +129,8 @@ spec:
            {{- end }}
            {{- range $key, $value := .Values.hub.embeddings.env }}
            {{- if not (or (and $.Values.hub.embeddings.auth.enabled (eq $key "API_KEY")) (and (or $.Values.hub.embeddings.huggingFace.existingSecret $.Values.hub.embeddings.huggingFace.token) (eq $key "HF_TOKEN"))) }}
-            {{- include "formbricks.envVar" (dict "name" $key "value" $value "context" $) | nindent 12 }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
            {{- end }}
            {{- end }}
          {{- end }}
@@ -90,12 +90,14 @@ spec:
            {{- include "formbricks.hubEmbeddingEnv" (dict "root" $ "env" $workerEnv) | nindent 12 }}
            {{- range $key, $value := .Values.hub.env }}
            {{- if and (not (hasKey $.Values.hub.worker.env $key)) (not (and $.Values.hub.embeddings.enabled (include "formbricks.hubEmbeddingEnvManaged" (dict "key" $key)))) }}
-            {{- include "formbricks.envVar" (dict "name" $key "value" $value "context" $) | nindent 12 }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
            {{- end }}
            {{- end }}
            {{- range $key, $value := .Values.hub.worker.env }}
            {{- if not (and $.Values.hub.embeddings.enabled (include "formbricks.hubEmbeddingEnvManaged" (dict "key" $key))) }}
-            {{- include "formbricks.envVar" (dict "name" $key "value" $value "context" $) | nindent 12 }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
            {{- end }}
            {{- end }}
          {{- end }}
@@ -82,7 +82,12 @@ spec:
          {{- end }}
          env:
            {{- range $key, $value := .Values.deployment.env }}
-            {{- include "formbricks.envVar" (dict "name" $key "value" $value "context" $) | nindent 12 }}
+            - name: {{ include "formbricks.tplvalues.render" ( dict "value" $key "context" $ ) }}
+              {{- if kindIs "string" $value }}
+              value: {{ include "formbricks.tplvalues.render" ( dict "value" $value "context" $ ) | quote }}
+              {{- else }}
+              {{- toYaml $value | nindent 14 }}
+              {{- end }}
            {{- end }}
          {{- if .Values.migration.resources }}
          resources:
@@ -1,13 +1,14 @@
 import { z } from "zod";
 import { ZActionClass } from "./action-classes";
 import { ZId } from "./common";
+import { ZJsWorkspaceStateSegment } from "./segment";
 import { ZUploadFileConfig } from "./storage";
 import { ZSurveyBase, surveyRefinement } from "./surveys/types";
 import { ZWorkspace } from "./workspace";

 export const ZJsWorkspaceStateSurvey = ZSurveyBase.pick({
  id: true,
-  name: true,
+  // name intentionally omitted — internal label, not needed by SDK
  welcomeCard: true,
  questions: true,
  blocks: true,
@@ -19,7 +20,7 @@ export const ZJsWorkspaceStateSurvey = ZSurveyBase.pick({
  autoClose: true,
  styling: true,
  status: true,
-  segment: true,
+  // segment intentionally omitted from pick — replaced with minimal shape below
  recontactDays: true,
  displayLimit: true,
  displayOption: true,
@@ -31,9 +32,16 @@ export const ZJsWorkspaceStateSurvey = ZSurveyBase.pick({
  isBackButtonHidden: true,
  isAutoProgressingEnabled: true,
  recaptcha: true,
-}).superRefine((survey, ctx) => {
-  surveyRefinement(survey as z.infer<typeof ZSurveyBase>, ctx);
-});
+})
+  .extend({
+    // Only expose what the SDK needs: segment ID for membership check + whether any filters exist.
+    // Full filter logic (titles, descriptions, conditions) is evaluated server-side and must not
+    // be sent to the browser to avoid leaking sensitive targeting data.
+    segment: ZJsWorkspaceStateSegment.nullable(),
+  })
+  .superRefine((survey, ctx) => {
+    surveyRefinement(survey as z.infer<typeof ZSurveyBase>, ctx);
+  });

 export type TJsWorkspaceStateSurvey = z.infer<typeof ZJsWorkspaceStateSurvey>;

@@ -48,7 +56,6 @@ export const ZJsWorkspaceStateActionClass = ZActionClass.pick({
 export type TJsWorkspaceStateActionClass = z.infer<typeof ZJsWorkspaceStateActionClass>;

 export const ZJsWorkspaceStateWorkspaceSetting = ZWorkspace.pick({
-  id: true,
  recontactDays: true,
  clickOutsideClose: true,
  overlay: true,
Author	SHA1	Message	Date
pandeymangg	aa398f1a1d	feedback	2026-05-20 12:40:30 +05:30
pandeymangg	d90482212a	adds tests	2026-05-19 13:48:30 +05:30
pandeymangg	1e0d003dd6	excel sanitization	2026-05-19 12:41:06 +05:30