From f9bea9b0cf606eebb1ec86d9322ac916e26bf888 Mon Sep 17 00:00:00 2001
From: Li Yi Yu <li@posthog.com>
Date: Thu, 9 Nov 2023 23:29:19 -0500
Subject: [PATCH] fix(surveys): add a target sanitize to backend (#18536)

* fix(surveys): add a target sanitize to backend

* just target
---
 frontend/src/scenes/surveys/surveyLogic.tsx | 10 +++++-----
 posthog/api/survey.py                       |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/frontend/src/scenes/surveys/surveyLogic.tsx b/frontend/src/scenes/surveys/surveyLogic.tsx
index df328e14a22bc..4bcc438f669e9 100644
--- a/frontend/src/scenes/surveys/surveyLogic.tsx
+++ b/frontend/src/scenes/surveys/surveyLogic.tsx
@@ -23,7 +23,7 @@ import { eventUsageLogic } from 'lib/utils/eventUsageLogic'
 import { featureFlagLogic } from 'scenes/feature-flags/featureFlagLogic'
 import { featureFlagLogic as enabledFlagLogic } from 'lib/logic/featureFlagLogic'
 import { defaultSurveyFieldValues, NEW_SURVEY, NewSurvey } from './constants'
-import { sanitize } from 'dompurify'
+import { sanitizeHTML } from './utils'
 
 export enum SurveyEditSection {
     Steps = 'steps',
@@ -733,16 +733,16 @@ function sanitizeQuestions(surveyPayload: Partial<Survey>): Partial<Survey> {
         return surveyPayload
     }
 
-    const sanitizedThankYouHeader = sanitize(surveyPayload.appearance?.thankYouMessageHeader || '')
-    const sanitizedThankYouDescription = sanitize(surveyPayload.appearance?.thankYouMessageDescription || '')
+    const sanitizedThankYouHeader = sanitizeHTML(surveyPayload.appearance?.thankYouMessageHeader || '')
+    const sanitizedThankYouDescription = sanitizeHTML(surveyPayload.appearance?.thankYouMessageDescription || '')
 
     return {
         ...surveyPayload,
         questions: surveyPayload.questions?.map((rawQuestion) => {
             return {
                 ...rawQuestion,
-                description: sanitize(rawQuestion.description || ''),
-                question: sanitize(rawQuestion.question || ''),
+                description: sanitizeHTML(rawQuestion.description || ''),
+                question: sanitizeHTML(rawQuestion.question || ''),
             }
         }),
         appearance: {
diff --git a/posthog/api/survey.py b/posthog/api/survey.py
index 826d7ff043eff..a2b3e8c3fcdd3 100644
--- a/posthog/api/survey.py
+++ b/posthog/api/survey.py
@@ -432,7 +432,7 @@ def nh3_clean_with_allow_list(to_clean: str):
             "*": {"style", "lang", "title", "width", "height"},
             # below are mostly defaults to ammonia, but we need to add them explicitly
             # because this python binding doesn't allow additive allowing
-            "a": {"href", "hreflang"},
+            "a": {"href", "hreflang", "target"},
             "bdo": {"dir"},
             "blockquote": {"cite"},
             "col": {"align", "char", "charoff", "span"},