From a05077952334cf4903b4b7b32afad423ae63b28f Mon Sep 17 00:00:00 2001
From: Ahmad <103906421+ahmadk953@users.noreply.github.com>
Date: Sun, 13 Oct 2024 23:42:12 -0400
Subject: [PATCH] Fixed XSS Vulnerability in Image Selector

---
 components/form/form-picker.tsx |  4 +++-
 package.json                    |  2 ++
 yarn.lock                       | 25 +++++++++++++++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/components/form/form-picker.tsx b/components/form/form-picker.tsx
index b14eb1c..1130977 100644
--- a/components/form/form-picker.tsx
+++ b/components/form/form-picker.tsx
@@ -1,5 +1,6 @@
 'use client';
 
+import DOMPurify from 'dompurify';
 import Image from 'next/image';
 import Link from 'next/link';
 
@@ -90,7 +91,8 @@ export const FormPicker = ({ id, errors }: FormPickerProps) => {
             )}
             <Link
               href={
-                image.user.links.html + '?utm_source=Tasko&utm_medium=referral'
+                DOMPurify.sanitize(image.user.links.html) +
+                '?utm_source=Tasko&utm_medium=referral'
               }
               target='_blank'
               className='absolute bottom-0 w-full truncate bg-black/50 p-1 text-[10px] text-white opacity-0 hover:underline group-hover:opacity-100'
diff --git a/package.json b/package.json
index bf38d8d..f57bc05 100644
--- a/package.json
+++ b/package.json
@@ -34,6 +34,7 @@
     "class-variance-authority": "^0.7.0",
     "clsx": "^2.1.1",
     "date-fns": "^4.1.0",
+    "dompurify": "^3.1.7",
     "eslint-plugin-react-compiler": "0.0.0-experimental-7670337-20240918",
     "lodash": "^4.17.21",
     "lucide-react": "^0.451.0",
@@ -54,6 +55,7 @@
   "devDependencies": {
     "@microsoft/eslint-formatter-sarif": "^3.1.0",
     "@next/eslint-plugin-next": "^14.2.15",
+    "@types/dompurify": "^3",
     "@types/lodash": "^4.17.10",
     "@types/node": "^22.7.5",
     "@types/react": "npm:types-react@rc",
diff --git a/yarn.lock b/yarn.lock
index 4d170f1..8f7d4ca 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1677,6 +1677,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/dompurify@npm:^3":
+  version: 3.0.5
+  resolution: "@types/dompurify@npm:3.0.5"
+  dependencies:
+    "@types/trusted-types": "npm:*"
+  checksum: 10c0/a34dcc4498ca250815ccf9aecbe82df96ba5db247d0440cf266a876757d47c52519c240db3475e794d7deb0d6b1af23328e02879be368ad0e26b20c0f0865dba
+  languageName: node
+  linkType: hard
+
 "@types/istanbul-lib-coverage@npm:*, @types/istanbul-lib-coverage@npm:^2.0.0":
   version: 2.0.6
   resolution: "@types/istanbul-lib-coverage@npm:2.0.6"
@@ -1770,6 +1779,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/trusted-types@npm:*":
+  version: 2.0.7
+  resolution: "@types/trusted-types@npm:2.0.7"
+  checksum: 10c0/4c4855f10de7c6c135e0d32ce462419d8abbbc33713b31d294596c0cc34ae1fa6112a2f9da729c8f7a20707782b0d69da3b1f8df6645b0366d08825ca1522e0c
+  languageName: node
+  linkType: hard
+
 "@types/use-sync-external-store@npm:^0.0.3":
   version: 0.0.3
   resolution: "@types/use-sync-external-store@npm:0.0.3"
@@ -2863,6 +2879,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"dompurify@npm:^3.1.7":
+  version: 3.1.7
+  resolution: "dompurify@npm:3.1.7"
+  checksum: 10c0/fcceef2e9f824d712a056fa699b0538f3337f5cf00ccb7227bdc7eba5463823e15d9aecc00a2fd81c726b28a71e7b09f0eb8a2fde1021c40e35f12dc67b66394
+  languageName: node
+  linkType: hard
+
 "dot-case@npm:^3.0.4":
   version: 3.0.4
   resolution: "dot-case@npm:3.0.4"
@@ -6298,6 +6321,7 @@ __metadata:
     "@radix-ui/react-slot": "npm:^1.1.0"
     "@radix-ui/react-tooltip": "npm:^1.1.3"
     "@tanstack/react-query": "npm:^5.59.9"
+    "@types/dompurify": "npm:^3"
     "@types/lodash": "npm:^4.17.10"
     "@types/node": "npm:^22.7.5"
     "@types/react": "npm:types-react@rc"
@@ -6311,6 +6335,7 @@ __metadata:
     class-variance-authority: "npm:^0.7.0"
     clsx: "npm:^2.1.1"
     date-fns: "npm:^4.1.0"
+    dompurify: "npm:^3.1.7"
     eslint: "npm:^8.57.0"
     eslint-config-next: "npm:^15.0.0-rc.0"
     eslint-config-prettier: "npm:^9.1.0"