CodeCow/typebot.io
1
0
Fork 0
mirror of https://github.com/baptisteArno/typebot.io.git synced 2026-06-13 21:02:56 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
f9d2a75127
typebot.io/apps/builder/package.json
Baptiste Arnaud 2c3fc7267a
🐛 Fix stored XSS via javascript: URI in bubble links (GHSA-hqmv-v56g-4m47) (#2435) 
## Summary
- Fix stored XSS vulnerability where `javascript:` URIs in text bubble
links, image click links, and toast popup links could execute arbitrary
JS in visitors' browsers
- Add `sanitizeUrl` utility that allowlists only `http:`, `https:`,
`mailto:`, and `tel:` protocols
- Add explicit `typecheck` Nx targets for `builder` and `viewer`
(Next.js projects don't get one inferred by `@nx/js/typescript`)
- Bump `@typebot.io/js` and `@typebot.io/react` to `0.10.1`

## Test plan
- [ ] Create a bot with a text bubble link set to `javascript:alert(1)`
and verify it renders as `#`
- [ ] Same test with an image click link
- [ ] Verify normal `https://` links still work
- [ ] Run `bunx nx typecheck builder` and `bunx nx typecheck viewer`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 17:46:09 +02:00

181 lines
5.4 KiB
JSON
Raw Blame History

{
"name": "builder",
"private": true,
"engines": {
"node": "24.x"
},
"nx": {
"targets": {
"dev": {
"dependsOn": [
{
"projects": [
"@typebot.io/react"
],
"target": "build"
}
]
},
"typecheck": {
"executor": "nx:run-commands",
"inputs": [
"default",
"^default"
],
"dependsOn": [
"^typecheck"
],
"options": {
"cwd": "apps/builder",
"command": "tsc --noEmit"
}
},
"test": {
"executor": "nx:run-commands",
"inputs": [
"default",
"^default"
],
"options": {
"cwd": "apps/builder",
"command": "bun test"
}
}
}
},
"dependencies": {
"@auth/core": "^0.39.1",
"@braintree/sanitize-url": "^7.0.1",
"@dnd-kit/helpers": "^0.1.21",
"@dnd-kit/react": "^0.1.21",
"@effect/opentelemetry": "4.0.0-beta.38",
"@giphy/js-fetch-api": "^5.7.0",
"@giphy/react-components": "^10.1.0",
"@opentelemetry/exporter-trace-otlp-http": "^0.211.0",
"@opentelemetry/sdk-node": "^0.212.0",
"@opentelemetry/sdk-trace-base": "^2.5.0",
"@orpc/client": "^1.13.9",
"@orpc/openapi": "^1.13.9",
"@orpc/otel": "^1.13.9",
"@orpc/server": "^1.13.9",
"@orpc/tanstack-query": "^1.13.9",
"@orpc/zod": "^1.13.9",
"@paralleldrive/cuid2": "^2.2.1",
"@sentry/nextjs": "^10.43.0",
"@tanstack/react-query": "^5.80.6",
"@tanstack/react-table": "^8.9.3",
"@tolgee/format-icu": "^6.2.7",
"@tolgee/react": "^6.2.7",
"@typebot.io/auth": "workspace:*",
"@typebot.io/blocks-bubbles": "workspace:*",
"@typebot.io/blocks-core": "workspace:*",
"@typebot.io/blocks-inputs": "workspace:*",
"@typebot.io/blocks-integrations": "workspace:*",
"@typebot.io/blocks-logic": "workspace:*",
"@typebot.io/bot-engine": "workspace:*",
"@typebot.io/chat-api": "workspace:*",
"@typebot.io/chat-session": "workspace:*",
"@typebot.io/conditions": "workspace:*",
"@typebot.io/config": "workspace:*",
"@typebot.io/credentials": "workspace:*",
"@typebot.io/emails": "workspace:*",
"@typebot.io/env": "workspace:*",
"@typebot.io/events": "workspace:*",
"@typebot.io/feature-flags": "workspace:*",
"@typebot.io/groups": "workspace:*",
"@typebot.io/logs": "workspace:*",
"@typebot.io/react": "workspace:*",
"@typebot.io/runtime-session-store": "workspace:*",
"@typebot.io/settings": "workspace:*",
"@typebot.io/spaces": "workspace:*",
"@typebot.io/shared-core": "workspace:*",
"@typebot.io/telemetry": "workspace:*",
"@typebot.io/templates": "workspace:*",
"@typebot.io/theme": "workspace:*",
"@typebot.io/typebot": "workspace:*",
"@typebot.io/ui": "workspace:*",
"@typebot.io/user": "workspace:*",
"@typebot.io/whatsapp": "workspace:*",
"@typebot.io/workspaces": "workspace:*",
"@uiw/codemirror-extensions-langs": "^4.25.8",
"@uiw/codemirror-theme-github": "^4.25.8",
"@uiw/codemirror-theme-tokyo-night": "^4.25.8",
"@uiw/react-codemirror": "^4.25.8",
"@upstash/ratelimit": "^0.4.3",
"@use-gesture/react": "^10.3.1",
"@vercel/otel": "^2.1.1",
"ai": "^4.3.19",
"canvas-confetti": "^1.6.0",
"codemirror": "^6.0.2",
"date-fns": "^2.30.0",
"date-fns-tz": "^2.0.0",
"deep-object-diff": "^1.1.9",
"dequal": "^2.0.3",
"effect": "4.0.0-beta.38",
"google-auth-library": "^10.1.0",
"immer": "^10.0.2",
"ioredis": "^5.4.1",
"jsonwebtoken": "^9.0.1",
"ky": "^1.2.4",
"mailchecker": "^6.0.16",
"micro-cors": "^0.1.1",
"motion": "^12.23.25",
"nanoid": "^5.1.5",
"next": "^16.1.6",
"next-auth": "^5.0.0-beta.30",
"next-themes": "^0.4.6",
"nextjs-cors": "^2.1.2",
"nodemailer": "^7.0.6",
"nuqs": "^2.3.2",
"openai": "^6.9.1",
"papaparse": "^5.4.1",
"partysocket": "^1.0.2",
"pexels": "^1.4.0",
"posthog-node": "^5.8.2",
"prettier": "^2.8.8",
"qs": "^6.11.2",
"react": "^19.2.4",
"react-dom": "^19.2.4",
"react-markdown": "^9.0.1",
"shared-zustand": "^2.1.0",
"stripe": "17.1.0",
"svg-round-corners": "^0.4.1",
"svix": "^1.74.1",
"tinycolor2": "^1.6.0",
"unsplash-js": "^7.0.18",
"use-debounce": "^9.0.4",
"zod": "^4.3.5",
"zod-validation-error": "^5.0.0",
"zustand": "^5.0.8"
},
"devDependencies": {
"@tailwindcss/postcss": "^4.1.16",
"@typebot.io/billing": "workspace:*",
"@typebot.io/forge": "workspace:*",
"@typebot.io/forge-repository": "workspace:*",
"@typebot.io/lib": "workspace:*",
"@typebot.io/prisma": "workspace:*",
"@typebot.io/radar": "workspace:*",
"@typebot.io/results": "workspace:*",
"@typebot.io/schemas": "workspace:*",
"@typebot.io/variables": "workspace:*",
"@types/bun": "^1.3.9",
"@types/canvas-confetti": "^1.6.0",
"@types/jsonwebtoken": "^9.0.2",
"@types/micro-cors": "^0.1.3",
"@types/node": "^24.10.13",
"@types/papaparse": "^5.3.7",
"@types/prettier": "^2.7.3",
"@types/qs": "^6.9.7",
"@types/react": "^19.2.14",
"@types/react-dom": "^19.2.3",
"@types/tinycolor2": "^1.4.3",
"dotenv": "^16.4.5",
"dotenv-cli": "^8.0.0",
"next-runtime-env": "^1.6.2",
"superjson": "^1.12.4",
"tailwindcss": "^4.1.16",
"vite-tsconfig-paths": "^6.1.1"
}
}
Reference in New Issue View Git Blame Copy Permalink