From f85d50f1a7b46adf301f0ad8ff0ba2c872181a9b Mon Sep 17 00:00:00 2001
From: Eric Wu <95886809+Eric-B-Wu@users.noreply.github.com>
Date: Tue, 19 Nov 2024 18:48:09 -0500
Subject: [PATCH] fix(Designer): Prevent HTML editor from allowing DOM-based
 XSS (#6147)

small fix
---
 .../src/lib/html/plugins/toolbar/helper/util.ts        | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libs/designer-ui/src/lib/html/plugins/toolbar/helper/util.ts b/libs/designer-ui/src/lib/html/plugins/toolbar/helper/util.ts
index 7fc05fed5c0..13cfaa66dbe 100644
--- a/libs/designer-ui/src/lib/html/plugins/toolbar/helper/util.ts
+++ b/libs/designer-ui/src/lib/html/plugins/toolbar/helper/util.ts
@@ -126,14 +126,14 @@ export const getDomFromHtmlEditorString = (htmlEditorString: string, nodeMap: Ma
   // Comments at the start of a DOM are lost when parsing HTML strings, so we wrap the HTML string in a <div>.
   const wrappedHtmlEditorString = `<div>${htmlEditorString}</div>`;
 
-  const purifiedHtmlEditorString = DomPurify.sanitize(encodeURIComponent(wrappedHtmlEditorString), { ADD_TAGS: ['#comment'] });
-  const encodedHtmlEditorString = encodeStringSegmentTokensInDomContext(decodeURIComponent(purifiedHtmlEditorString), nodeMap);
+  const purifiedHtmlEditorString = DomPurify.sanitize(wrappedHtmlEditorString, { ADD_TAGS: ['#comment'] });
+  const encodedHtmlEditorString = encodeStringSegmentTokensInDomContext(purifiedHtmlEditorString, nodeMap);
 
-  const tempElement = document.createElement('div', {});
-  tempElement.innerHTML = encodedHtmlEditorString;
+  const tempElement = document.createElement('div');
+  tempElement.innerHTML = DomPurify.sanitize(encodedHtmlEditorString);
 
   // Unwrap the wrapper <div>.
-  return tempElement.children[0] as HTMLElement;
+  return tempElement.firstElementChild as HTMLElement;
 };
 
 export const isAttributeSupportedByHtmlEditor = (tagName: string, attribute: string): boolean => {