fix(surveys): add a target sanitize to backend (#18536)

* fix(surveys): add a target sanitize to backend * just target
PostHog · Nov 10, 2023 · f9bea9b · f9bea9b
1 parent 0521e2e
commit f9bea9b
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/frontend/src/scenes/surveys/surveyLogic.tsx b/frontend/src/scenes/surveys/surveyLogic.tsx
@@ -23,7 +23,7 @@ import { eventUsageLogic } from 'lib/utils/eventUsageLogic'
 import { featureFlagLogic } from 'scenes/feature-flags/featureFlagLogic'
 import { featureFlagLogic as enabledFlagLogic } from 'lib/logic/featureFlagLogic'
 import { defaultSurveyFieldValues, NEW_SURVEY, NewSurvey } from './constants'
-import { sanitize } from 'dompurify'
+import { sanitizeHTML } from './utils'
 
 export enum SurveyEditSection {
     Steps = 'steps',
@@ -733,16 +733,16 @@ function sanitizeQuestions(surveyPayload: Partial<Survey>): Partial<Survey> {
         return surveyPayload
     }
 
-    const sanitizedThankYouHeader = sanitize(surveyPayload.appearance?.thankYouMessageHeader || '')
-    const sanitizedThankYouDescription = sanitize(surveyPayload.appearance?.thankYouMessageDescription || '')
+    const sanitizedThankYouHeader = sanitizeHTML(surveyPayload.appearance?.thankYouMessageHeader || '')
+    const sanitizedThankYouDescription = sanitizeHTML(surveyPayload.appearance?.thankYouMessageDescription || '')
 
     return {
         ...surveyPayload,
         questions: surveyPayload.questions?.map((rawQuestion) => {
             return {
                 ...rawQuestion,
-                description: sanitize(rawQuestion.description || ''),
-                question: sanitize(rawQuestion.question || ''),
+                description: sanitizeHTML(rawQuestion.description || ''),
+                question: sanitizeHTML(rawQuestion.question || ''),
             }
         }),
         appearance: {

diff --git a/posthog/api/survey.py b/posthog/api/survey.py
@@ -432,7 +432,7 @@ def nh3_clean_with_allow_list(to_clean: str):
             "*": {"style", "lang", "title", "width", "height"},
             # below are mostly defaults to ammonia, but we need to add them explicitly
             # because this python binding doesn't allow additive allowing
-            "a": {"href", "hreflang"},
+            "a": {"href", "hreflang", "target"},
             "bdo": {"dir"},
             "blockquote": {"cite"},
             "col": {"align", "char", "charoff", "span"},