fix: enhance XSS protection in sanitizeHttpResponse for deep nesting scenarios

Author: MickaelAustoni

package.json

@@ -2,7 +2,7 @@
   "name": "treege",
   "description": "Powerful form generator",
   "license": "ISC",
-  "version": "3.0.0-beta.20",
+  "version": "3.0.0-beta.21",
   "type": "module",
   "types": "./dist/main.d.ts",
   "module": "./dist/main.js",

src/renderer/utils/__tests__/sanitize.test.ts

@@ -362,6 +362,34 @@ describe("sanitizeHttpResponse", () => {
       expect(result).toBeDefined();
     });
 
+    it("should sanitize strings even when max depth is exceeded (XSS protection)", () => {
+      // Security test: Create an object nested beyond MAX_DEPTH with XSS payload at bottom
+      let nested: unknown = '<script>alert("XSS at depth 150")</script>';
+      for (let i = 0; i < 150; i++) {
+        nested = { child: nested };
+      }
+
+      const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+      const result = sanitizeHttpResponse(nested);
+
+      warnSpy.mockRestore();
+
+      // Navigate to max depth level
+      let current = result as Record<string, unknown>;
+      for (let i = 0; i < 100; i++) {
+        current = current.child as Record<string, unknown>;
+      }
+
+      // At level 101, should get either sanitized string or safe placeholder
+      const deepValue = current.child;
+
+      // Must be either empty string (sanitized XSS) or safe placeholder
+      expect(typeof deepValue === "string").toBe(true);
+      expect(deepValue).not.toContain("<script>");
+      expect(deepValue).not.toContain("alert");
+    });
+
     it("should handle deeply nested arrays", () => {
       // Create deeply nested arrays
       let nested: unknown[] = ["value<script>xss</script>"];

src/renderer/utils/sanitize.ts

@@ -143,8 +143,12 @@ export const sanitizeHttpResponse = (
 ): unknown => {
   // Prevent DoS via deep nesting
   if (depth > MAX_DEPTH) {
-    console.warn(`sanitizeHttpResponse: Maximum depth (${MAX_DEPTH}) exceeded. Returning data as-is to prevent stack overflow.`);
-    return data;
+    console.warn(`sanitizeHttpResponse: Maximum depth (${MAX_DEPTH}) exceeded.`);
+    // Still sanitize strings to prevent XSS even at max depth
+    if (typeof data === "string") {
+      return sanitize(data, options);
+    }
+    return "[Max Depth Exceeded]";
   }
 
   if (data === null || data === undefined) {