fix(Notes): additional sanitization (#5092)

safe-global · Feb 24, 2025 · 572f7fd · 572f7fd
1 parent 77e764c
commit 572f7fd
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/apps/web/src/features/tx-notes/encodeTxNote.test.ts b/apps/web/src/features/tx-notes/encodeTxNote.test.ts
@@ -28,4 +28,10 @@ describe('encodeTxNote', () => {
     const result = encodeTxNote(note, JSON.stringify({ url }))
     expect(result).toEqual(JSON.stringify({ url, note: 'a'.repeat(172) }, null, 0))
   })
+
+  it('should sanitize the note', () => {
+    const note = '<b>hello<b>'
+    const result = encodeTxNote(note)
+    expect(result).toEqual(JSON.stringify({ note: 'hello' }, null, 0))
+  })
 })
diff --git a/apps/web/src/features/tx-notes/encodeTxNote.ts b/apps/web/src/features/tx-notes/encodeTxNote.ts
@@ -1,6 +1,12 @@
 const MAX_ORIGIN_LENGTH = 200
 
+// Simply strip out any HTML tags from the input in addition to backend sanitization
+function sanitizeInput(input: string): string {
+  return input.replace(/<\/?[^>]+(>|$)/g, '')
+}
+
 export function encodeTxNote(note: string, origin = ''): string {
+  note = sanitizeInput(note)
   let originalOrigin = {}
 
   if (origin) {