From dff6edf7c3fe88736628c84dfec45360a4381be5 Mon Sep 17 00:00:00 2001
From: Dana Lee <dana@n8n.io>
Date: Tue, 14 Jan 2025 10:35:31 +0100
Subject: [PATCH] PR requests and move sanitize HTML to separate function

---
 .../nodes/Form/common.descriptions.ts         |  2 +-
 packages/nodes-base/nodes/Form/utils.ts       | 37 +++++++++++++++----
 2 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/packages/nodes-base/nodes/Form/common.descriptions.ts b/packages/nodes-base/nodes/Form/common.descriptions.ts
index ad66330c27..28eac6ed1b 100644
--- a/packages/nodes-base/nodes/Form/common.descriptions.ts
+++ b/packages/nodes-base/nodes/Form/common.descriptions.ts
@@ -29,7 +29,7 @@ export const formDescription: INodeProperties = {
 	default: '',
 	placeholder: "e.g. We'll get back to you soon",
 	description:
-		'Shown underneath the Form Title. Can be used to prompt the user on how to complete the form.',
+		'Shown underneath the Form Title. Can be used to prompt the user on how to complete the form. Accepts HTML.',
 	typeOptions: {
 		rows: 2,
 	},
diff --git a/packages/nodes-base/nodes/Form/utils.ts b/packages/nodes-base/nodes/Form/utils.ts
index 1b67e93eb3..0c1d77a2d6 100644
--- a/packages/nodes-base/nodes/Form/utils.ts
+++ b/packages/nodes-base/nodes/Form/utils.ts
@@ -24,6 +24,35 @@ import { getResolvables } from '../../utils/utilities';
 import { WebhookAuthorizationError } from '../Webhook/error';
 import { validateWebhookAuthentication } from '../Webhook/utils';
 
+function sanitizeHtml(text: string) {
+	return sanitize(text, {
+		allowedTags: [
+			'b',
+			'i',
+			'em',
+			'strong',
+			'a',
+			'h1',
+			'h2',
+			'h3',
+			'h4',
+			'h5',
+			'h6',
+			'u',
+			'sub',
+			'sup',
+			'code',
+			'pre',
+			'span',
+			'br',
+		],
+		allowedAttributes: {
+			a: ['href', 'target', 'rel'],
+		},
+		nonBooleanAttributes: ['*'],
+	});
+}
+
 export function prepareFormData({
 	formTitle,
 	formDescription,
@@ -374,13 +403,7 @@ export async function formWebhook(
 	//Show the form on GET request
 	if (method === 'GET') {
 		const formTitle = context.getNodeParameter('formTitle', '') as string;
-		const formDescription = sanitize(context.getNodeParameter('formDescription', '') as string, {
-			allowedTags: ['b', 'i', 'em', 'strong', 'a', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6'],
-			allowedAttributes: {
-				a: ['href'],
-			},
-			nonBooleanAttributes: ['*'],
-		});
+		const formDescription = sanitizeHtml(context.getNodeParameter('formDescription', '') as string);
 		const responseMode = context.getNodeParameter('responseMode', '') as string;
 
 		let formSubmittedText;