Bugfix/xss

[vinodkiran]

No description provided.

[automaton82]

XSS is typically solved via CSP and x-frame-options, plus CORS headers.

Wrapping every single param call with .notEmpty().escape() seems messy, and while I'm not overly familiar with node or react my gut feeling is there's a cleaner way to do this?

[vinodkiran]

@automaton82 Thanks! Yes CSP and CORs can be handled in multiple ways.

This PR and Removal of localstorage PR are the first steps towards improving overall security. Additional PRs will be needed to get to the desired state.

As we traverse the path towards the desired state, we need to take baby steps to ensure that these modifications do not break backward compatibility. As you rightly pointed out, CSP/CORS would be handled differently if this was a greenfield exercise. Currently, Flowise is used by a number of users in ways that are not fully documented. While the current implementation is slightly messy, it prevents most cases of Reflected XSS. Next PRs will address DOM XSS and Storage XSS along with introducing Basic CSP (violation reporting). Further to those changes, we will then implement the final set of changes to enforce policies and lockdown the complete application.

Hope this note provides some clarity on the overall thinking towards improving security in Flowise

[HenryHengZJ]

I love this newer approach, much cleaner, but the library strip-js is deprecated, any other alternatives?

[HenryHengZJ]

I love this newer approach, much cleaner, but the library strip-js is deprecated, any other alternatives?

this looks like a better library and its up to date - https://github.com/apostrophecms/sanitize-html.
blog - https://www.webmound.com/sanitise-html-nodejs-express-server/