[backport core/1.38] fix: prevent XSS vulnerability in context menu labels (#8922)

Backport of #8887 to `core/1.38` Automatically created by backport workflow. ┆Issue is synchronized with this [Notion page](https://www.notion.so/PR-8922-backport-core-1-38-fix-prevent-XSS-vulnerability-in-context-menu-labels-3096d73d3650811a9448fc9b2344a88b) by [Unito](https://www.unito.io) Co-authored-by: Alexander Brown <drjkl@comfy.org> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: github-actions <github-actions@github.com>
2026-02-19 14:30:07 +00:00 · 2026-02-17 19:24:10 +09:00
parent 43b66ec5e5
commit 841cf55fbd
2 changed files with 45 additions and 4 deletions
--- a/browser_tests/tests/nodeSearchBox.spec.ts-snapshots/added-node-no-connection-chromium-linux.png
+++ b/browser_tests/tests/nodeSearchBox.spec.ts-snapshots/added-node-no-connection-chromium-linux.png
--- a/src/lib/litegraph/src/ContextMenu.ts
+++ b/src/lib/litegraph/src/ContextMenu.ts
@@ -1,3 +1,5 @@
+import DOMPurify from 'dompurify'
+
 import type {
  ContextMenuDivElement,
  IContextMenuOptions,
@@ -5,6 +7,38 @@ import type {
 } from './interfaces'
 import { LiteGraph } from './litegraph'

+const ALLOWED_TAGS = ['span', 'b', 'i', 'em', 'strong']
+const ALLOWED_STYLE_PROPS = new Set([
+  'display',
+  'color',
+  'background-color',
+  'padding-left',
+  'border-left'
+])
+
+DOMPurify.addHook('uponSanitizeAttribute', (_node, data) => {
+  if (data.attrName === 'style') {
+    const sanitizedStyle = data.attrValue
+      .split(';')
+      .map((s) => s.trim())
+      .filter((s) => {
+        const colonIdx = s.indexOf(':')
+        if (colonIdx === -1) return false
+        const prop = s.slice(0, colonIdx).trim().toLowerCase()
+        return ALLOWED_STYLE_PROPS.has(prop)
+      })
+      .join('; ')
+    data.attrValue = sanitizedStyle
+  }
+})
+
+function sanitizeMenuHTML(html: string): string {
+  return DOMPurify.sanitize(html, {
+    ALLOWED_TAGS,
+    ALLOWED_ATTR: ['style']
+  })
+}
+
 // TODO: Replace this pattern with something more modern.
 export interface ContextMenu<TValue = unknown> {
  constructor: new (
@@ -123,7 +157,7 @@ export class ContextMenu<TValue = unknown> {
    if (options.title) {
      const element = document.createElement('div')
      element.className = 'litemenu-title'
-      element.innerHTML = options.title
+      element.textContent = options.title
      root.append(element)
    }

@@ -218,11 +252,18 @@ export class ContextMenu<TValue = unknown> {
    if (value === null) {
      element.classList.add('separator')
    } else {
-      const innerHtml = name === null ? '' : String(name)
+      const label = name === null ? '' : String(name)
      if (typeof value === 'string') {
-        element.innerHTML = innerHtml
+        element.textContent = label
      } else {
-        element.innerHTML = value?.title ?? innerHtml
+        // Use innerHTML for content that contains HTML tags, textContent otherwise
+        const hasHtmlContent =
+          value?.content !== undefined && /<[a-z][\s\S]*>/i.test(value.content)
+        if (hasHtmlContent) {
+          element.innerHTML = sanitizeMenuHTML(value.content!)
+        } else {
+          element.textContent = value?.title ?? label
+        }

        if (value.disabled) {
          disabled = true