🔒 Use sanitizeUrl on redirectPath auth param (#1389)

baptisteArno · Mar 25, 2024 · d0be29e · d0be29e
1 parent 2bd1cb7
commit d0be29e
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 1 deletion.
diff --git a/apps/builder/package.json b/apps/builder/package.json
@@ -13,6 +13,7 @@
     "format:check": "prettier --check ./src"
   },
   "dependencies": {
+    "@braintree/sanitize-url": "7.0.1",
     "@chakra-ui/anatomy": "2.1.1",
     "@chakra-ui/react": "2.7.1",
     "@chakra-ui/theme-tools": "2.0.18",

diff --git a/apps/builder/src/features/auth/components/SignInForm.tsx b/apps/builder/src/features/auth/components/SignInForm.tsx
@@ -28,10 +28,12 @@ import { useToast } from '@/hooks/useToast'
 import { TextLink } from '@/components/TextLink'
 import { SignInError } from './SignInError'
 import { useTranslate } from '@tolgee/react'
+import { sanitizeUrl } from '@braintree/sanitize-url'
 
 type Props = {
   defaultEmail?: string
 }
+
 export const SignInForm = ({
   defaultEmail,
 }: Props & HTMLChakraProps<'form'>) => {
@@ -55,7 +57,8 @@ export const SignInForm = ({
 
   useEffect(() => {
     if (status === 'authenticated') {
-      router.replace(router.query.redirectPath?.toString() ?? '/typebots')
+      const redirectPath = router.query.redirectPath?.toString()
+      router.replace(redirectPath ? sanitizeUrl(redirectPath) : '/typebots')
       return
     }
     ;(async () => {

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml