Skip to content

feat: initialize hubspot project with connection to email [] #9893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat: initialize hubspot project with connection to email [] #9893

wants to merge 4 commits into from

Conversation

ryunsong-contentful
Copy link
Contributor

Purpose

Video is linked to this slack post https://contentful.slack.com/archives/C07QGCRMTU1/p1749063620990619

This is not production level code. The point of this PR is to

  1. Provide a proof of concept on how to connect to Hubspot
  2. Provide an outlined structure for 10Pines on connecting to App Actions and App Functions
  3. Provide a basic template for them to start on so we can discuss in a meeting tomorrow

@ryunsong-contentful ryunsong-contentful requested a review from a team as a code owner June 4, 2025 21:16
@netlify Netlify
Copy link

netlify bot commented Jun 4, 2025
edited
Loading

Deploy Preview for ecommerce-app-base-components canceled.

Name Link
🔨 Latest commit ddeb64e
🔍 Latest deploy log https://app.netlify.com/projects/ecommerce-app-base-components/deploys/684712eae236ee00074264d3

github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 4, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 4, 2025
View reviewed changes
apps/hubspot/functions/utils.ts
Comment on lines 83 to 94
let sanitized = textStr
// Remove null bytes that can terminate strings in some contexts
.replace(/\0/g, '')
// Remove control characters except common whitespace
.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '')
// Remove potential script injection patterns
.replace(/<script[^>]*>.*?<\/script>/gis, '')
.replace(/javascript:/gi, '')
.replace(/vbscript:/gi, '')
.replace(/on\w+\s*=/gi, '')
// Remove data URLs that could contain scripts
.replace(/data:.*?base64/gi, '');

Check failure

Code scanning / CodeQL

Incomplete URL scheme check High

This check does not consider data:.

Copilot Autofix

AI 4 months ago

To fix the issue, the sanitizeUserInput function should be updated to comprehensively check for and sanitize URLs with the data: scheme. This can be achieved by adding a case-insensitive check for any data: scheme, similar to the existing checks for javascript: and vbscript:. The regex targeting data: URLs with base64 should be replaced with a broader check for any data: scheme.

Changes will be made to the sanitizeUserInput function in the file apps/hubspot/functions/utils.ts. Specifically:

  1. Replace the regex targeting data: URLs with base64 on line 94 with a more comprehensive check for data: URLs.
  2. Ensure the check is case-insensitive and removes all data: URLs.
Suggested changeset 1
apps/hubspot/functions/utils.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/hubspot/functions/utils.ts b/apps/hubspot/functions/utils.ts
--- a/apps/hubspot/functions/utils.ts
+++ b/apps/hubspot/functions/utils.ts
@@ -92,4 +92,4 @@
     .replace(/on\w+\s*=/gi, '')
-    // Remove data URLs that could contain scripts
-    .replace(/data:.*?base64/gi, '');
+    // Remove data URLs that could contain scripts or other malicious content
+    .replace(/data:/gi, '');
 
EOF
@@ -92,4 +92,4 @@
.replace(/on\w+\s*=/gi, '')
// Remove data URLs that could contain scripts
.replace(/data:.*?base64/gi, '');
// Remove data URLs that could contain scripts or other malicious content
.replace(/data:/gi, '');

Copilot is powered by AI and may make mistakes. Always verify output.
@ryunsong-contentful ryunsong-contentful committed this autofix suggestion 4 months ago.
apps/hubspot/functions/utils.ts
Comment on lines 83 to 92
let sanitized = textStr
// Remove null bytes that can terminate strings in some contexts
.replace(/\0/g, '')
// Remove control characters except common whitespace
.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '')
// Remove potential script injection patterns
.replace(/<script[^>]*>.*?<\/script>/gis, '')
.replace(/javascript:/gi, '')
.replace(/vbscript:/gi, '')
.replace(/on\w+\s*=/gi, '')

Check failure

Code scanning / CodeQL

Incomplete multi-character sanitization High

This string may still contain
on
Loading
, which may cause an HTML attribute injection vulnerability.

Copilot Autofix

AI 4 months ago

To address the issue, we will modify the sanitization logic to repeatedly apply the regular expression replacements until no further changes occur. This ensures that all instances of unsafe patterns, including those that might reappear after partial sanitization, are fully removed. This approach is robust and prevents incomplete sanitization.

The changes will involve wrapping the sanitization logic in a loop that continues until the input string remains unchanged after a pass. This will be implemented in the sanitizeUserInput function.

Suggested changeset 1
apps/hubspot/functions/utils.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/hubspot/functions/utils.ts b/apps/hubspot/functions/utils.ts
--- a/apps/hubspot/functions/utils.ts
+++ b/apps/hubspot/functions/utils.ts
@@ -82,14 +82,19 @@
   // Remove or escape potential injection patterns
-  let sanitized = textStr
-    // Remove null bytes that can terminate strings in some contexts
-    .replace(/\0/g, '')
-    // Remove control characters except common whitespace
-    .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '')
-    // Remove potential script injection patterns - fixed to handle closing tags with whitespace
-    .replace(/<script[^>]*>.*?<\/script\s*>/gis, '')
-    .replace(/javascript:/gi, '')
-    .replace(/vbscript:/gi, '')
-    .replace(/on\w+\s*=/gi, '')
-    // Remove data URLs that could contain scripts
-    .replace(/data:.*?base64/gi, '');
+  let sanitized = textStr;
+  let previous;
+  do {
+    previous = sanitized;
+    sanitized = sanitized
+      // Remove null bytes that can terminate strings in some contexts
+      .replace(/\0/g, '')
+      // Remove control characters except common whitespace
+      .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '')
+      // Remove potential script injection patterns - fixed to handle closing tags with whitespace
+      .replace(/<script[^>]*>.*?<\/script\s*>/gis, '')
+      .replace(/javascript:/gi, '')
+      .replace(/vbscript:/gi, '')
+      .replace(/on\w+\s*=/gi, '')
+      // Remove data URLs that could contain scripts
+      .replace(/data:.*?base64/gi, '');
+  } while (sanitized !== previous);
 
EOF
@@ -82,14 +82,19 @@
// Remove or escape potential injection patterns
let sanitized = textStr
// Remove null bytes that can terminate strings in some contexts
.replace(/\0/g, '')
// Remove control characters except common whitespace
.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '')
// Remove potential script injection patterns - fixed to handle closing tags with whitespace
.replace(/<script[^>]*>.*?<\/script\s*>/gis, '')
.replace(/javascript:/gi, '')
.replace(/vbscript:/gi, '')
.replace(/on\w+\s*=/gi, '')
// Remove data URLs that could contain scripts
.replace(/data:.*?base64/gi, '');
let sanitized = textStr;
let previous;
do {
previous = sanitized;
sanitized = sanitized
// Remove null bytes that can terminate strings in some contexts
.replace(/\0/g, '')
// Remove control characters except common whitespace
.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '')
// Remove potential script injection patterns - fixed to handle closing tags with whitespace
.replace(/<script[^>]*>.*?<\/script\s*>/gis, '')
.replace(/javascript:/gi, '')
.replace(/vbscript:/gi, '')
.replace(/on\w+\s*=/gi, '')
// Remove data URLs that could contain scripts
.replace(/data:.*?base64/gi, '');
} while (sanitized !== previous);

Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 4, 2025
View reviewed changes
apps/hubspot/functions/email-http-methods/getEmails.ts
Comment on lines +38 to +39
const textContent = sanitizedHtml
.replace(/<[^>]*>/g, '') // Remove HTML tags from sanitized input

Check failure

Code scanning / CodeQL

Incomplete multi-character sanitization High

This string may still contain
<script
Loading
, which may cause an HTML element injection vulnerability.

Copilot Autofix

AI 4 months ago

To address the issue, we should ensure that the sanitization process is robust and handles all potential edge cases. The best approach is to use a well-tested library like sanitize-html to sanitize the input securely. This library is specifically designed to remove unsafe HTML elements and attributes while preserving safe content. By replacing the sanitizeUserInput function with sanitize-html, we can ensure that the input is thoroughly sanitized before further processing.

The changes will involve:

  1. Importing the sanitize-html library.
  2. Replacing the call to sanitizeUserInput with a call to sanitizeHtml.
  3. Configuring sanitizeHtml to remove all unsafe tags and attributes.
Suggested changeset 2
apps/hubspot/functions/email-http-methods/getEmails.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/hubspot/functions/email-http-methods/getEmails.ts b/apps/hubspot/functions/email-http-methods/getEmails.ts
--- a/apps/hubspot/functions/email-http-methods/getEmails.ts
+++ b/apps/hubspot/functions/email-http-methods/getEmails.ts
@@ -1,3 +1,3 @@
 import type { HubSpotRequestContext, HubSpotResponse, ContentBlock } from '../types';
-import { sanitizeUserInput } from '../utils';
+import sanitizeHtml from 'sanitize-html';
 
@@ -34,3 +34,6 @@
             const rawHtml = String(widget.body.html);
-            const sanitizedHtml = sanitizeUserInput(rawHtml);
+            const sanitizedHtml = sanitizeHtml(rawHtml, {
+              allowedTags: [], // Remove all HTML tags
+              allowedAttributes: {}, // Remove all attributes
+            });
 
EOF
@@ -1,3 +1,3 @@
import type { HubSpotRequestContext, HubSpotResponse, ContentBlock } from '../types';
import { sanitizeUserInput } from '../utils';
import sanitizeHtml from 'sanitize-html';

@@ -34,3 +34,6 @@
const rawHtml = String(widget.body.html);
const sanitizedHtml = sanitizeUserInput(rawHtml);
const sanitizedHtml = sanitizeHtml(rawHtml, {
allowedTags: [], // Remove all HTML tags
allowedAttributes: {}, // Remove all attributes
});

apps/hubspot/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/hubspot/package.json b/apps/hubspot/package.json
--- a/apps/hubspot/package.json
+++ b/apps/hubspot/package.json
@@ -14,3 +14,4 @@
     "react": "18.3.1",
-    "react-dom": "18.3.1"
+    "react-dom": "18.3.1",
+    "sanitize-html": "^2.17.0"
   },
EOF
@@ -14,3 +14,4 @@
"react": "18.3.1",
"react-dom": "18.3.1"
"react-dom": "18.3.1",
"sanitize-html": "^2.17.0"
},
This fix introduces these dependencies
Package Version Security advisories
sanitize-html (npm) 2.17.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
apps/hubspot/functions/utils.ts
Comment on lines +83 to +89
let sanitized = textStr
// Remove null bytes that can terminate strings in some contexts
.replace(/\0/g, '')
// Remove control characters except common whitespace
.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '')
// Remove potential script injection patterns - fixed to handle closing tags with whitespace
.replace(/<script[^>]*>.*?<\/script\s*>/gis, '')

Check failure

Code scanning / CodeQL

Incomplete multi-character sanitization High

This string may still contain
<script
Loading
, which may cause an HTML element injection vulnerability.
apps/hubspot/functions/utils.ts
// Remove control characters except common whitespace
.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '')
// Remove potential script injection patterns - fixed to handle closing tags with whitespace
.replace(/<script[^>]*>.*?<\/script\s*>/gis, '')

Check failure

Code scanning / CodeQL

Bad HTML filtering regexp High

This regular expression does not match script end tags like </script\t\n bar>.

Copilot Autofix

AI 4 months ago

To fix the issue, replace the custom regular expression with a well-tested HTML sanitization library, such as DOMPurify. This library is specifically designed to handle edge cases and ensure robust sanitization of user input. The replacement will involve importing the library and using its sanitize function to clean the input. This approach eliminates the need for custom regex-based sanitization and ensures comprehensive protection against XSS attacks.

Steps to implement the fix:

  1. Install the dompurify library.
  2. Import DOMPurify in the file.
  3. Replace the regex-based sanitization logic with DOMPurify.sanitize.
  4. Retain other sanitization steps (e.g., null byte removal, control character removal) as additional safeguards.
Suggested changeset 2
apps/hubspot/functions/utils.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/hubspot/functions/utils.ts b/apps/hubspot/functions/utils.ts
--- a/apps/hubspot/functions/utils.ts
+++ b/apps/hubspot/functions/utils.ts
@@ -1,2 +1,3 @@
 import type { TextNode } from './types';
+import DOMPurify from 'dompurify';
 
@@ -86,10 +87,6 @@
     // Remove control characters except common whitespace
-    .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '')
-    // Remove potential script injection patterns - fixed to handle closing tags with whitespace
-    .replace(/<script[^>]*>.*?<\/script\s*>/gis, '')
-    .replace(/javascript:/gi, '')
-    .replace(/vbscript:/gi, '')
-    .replace(/on\w+\s*=/gi, '')
-    // Remove data URLs that could contain scripts
-    .replace(/data:.*?base64/gi, '');
+    .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '');
+
+  // Use DOMPurify to sanitize HTML content
+  sanitized = DOMPurify.sanitize(sanitized);
 
EOF
@@ -1,2 +1,3 @@
import type { TextNode } from './types';
import DOMPurify from 'dompurify';

@@ -86,10 +87,6 @@
// Remove control characters except common whitespace
.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '')
// Remove potential script injection patterns - fixed to handle closing tags with whitespace
.replace(/<script[^>]*>.*?<\/script\s*>/gis, '')
.replace(/javascript:/gi, '')
.replace(/vbscript:/gi, '')
.replace(/on\w+\s*=/gi, '')
// Remove data URLs that could contain scripts
.replace(/data:.*?base64/gi, '');
.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '');

// Use DOMPurify to sanitize HTML content
sanitized = DOMPurify.sanitize(sanitized);

apps/hubspot/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/hubspot/package.json b/apps/hubspot/package.json
--- a/apps/hubspot/package.json
+++ b/apps/hubspot/package.json
@@ -14,3 +14,4 @@
     "react": "18.3.1",
-    "react-dom": "18.3.1"
+    "react-dom": "18.3.1",
+    "dompurify": "^3.2.6"
   },
EOF
@@ -14,3 +14,4 @@
"react": "18.3.1",
"react-dom": "18.3.1"
"react-dom": "18.3.1",
"dompurify": "^3.2.6"
},
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.6 None
Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 4, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ryunsong-contentful