Fix(toast): action XSS and dispose toast group on hook destroy (#43)

karim-semmoud · web-flow · commit c816dfc1c80c · 2026-06-01T13:34:48.000+07:00
* Fix(toast): action XSS and dispose toast group on hook destroy

* update toast test
diff --git a/assets/components/toast.ts b/assets/components/toast.ts
@@ -168,15 +168,15 @@ export class ToastItem<T = unknown> extends Component<ToastItemProps<T>, Api> {
       this.parts.action.hidden = false;
       this.spreadProps(this.parts.action, this.api.getActionTriggerProps());
       const label = this.latestProps.action?.label ?? "";
-      if (this.parts.action.innerHTML !== label) {
-        this.parts.action.innerHTML = label;
+      if (this.parts.action.textContent !== label) {
+        this.parts.action.textContent = label;
       }
       const extraClasses = actionClassTokens(this.latestProps.action);
       if (extraClasses.length) this.parts.action.classList.add(...extraClasses);
     } else {
       this.parts.action.hidden = true;
-      if (this.parts.action.innerHTML) {
-        this.parts.action.innerHTML = "";
+      if (this.parts.action.textContent) {
+        this.parts.action.textContent = "";
       }
     }
 
diff --git a/assets/hooks/toast.ts b/assets/hooks/toast.ts
@@ -1,7 +1,7 @@
 import type { Hook } from "phoenix_live_view";
 import type { HookInterface, CallbackRef } from "phoenix_live_view/assets/js/types/view_hook";
 
-import { createToastGroup, getToastStore } from "../components/toast";
+import { createToastGroup, disposeToastGroup, getToastStore } from "../components/toast";
 import type { ActionOptions } from "@zag-js/toast";
 import type { Placement } from "@zag-js/toast";
 import type { Options } from "@zag-js/toast";
@@ -354,6 +354,9 @@ const ToastHook: Hook<object & ToastHookState, HTMLElement> = {
         this.removeHandleEvent(handler);
       }
     }
+    if (this.groupId) {
+      disposeToastGroup(this.groupId);
+    }
   },
 };
 
diff --git a/assets/test/component/toast.test.ts b/assets/test/component/toast.test.ts
@@ -62,4 +62,30 @@ describe("toast group API", () => {
     expect(container.dataset.toastGroup).toBeUndefined();
     expect(container.dataset.toastGroupId).toBeUndefined();
   });
+
+  it("renders action label as text without HTML injection", () => {
+    const container = document.createElement("div");
+    container.id = groupId;
+    container.setAttribute("phx-hook", "Toast");
+    document.body.appendChild(container);
+
+    const { group, store } = createToastGroup(container, { id: groupId });
+    const malicious = '<img src=x onerror="window.__toastXss=1">';
+    store.create({
+      id: "t-xss",
+      title: "Title",
+      type: "info",
+      action: { label: malicious, onClick: () => {} },
+    });
+    group.render();
+
+    const action = container.querySelector<HTMLElement>(
+      '[data-scope="toast"][data-part="action-trigger"]'
+    );
+    expect(action).toBeTruthy();
+    expect(action!.textContent).toBe(malicious);
+    expect(action!.querySelector("img")).toBeNull();
+
+    document.body.removeChild(container);
+  });
 });
diff --git a/assets/test/helpers/mock-hook.ts b/assets/test/helpers/mock-hook.ts
@@ -0,0 +1,96 @@
+import { expect, vi } from "vitest";
+import type { CallbackRef } from "phoenix_live_view/assets/js/types/view_hook";
+import { mockLiveSocket } from "./mock-live-socket";
+
+export function mockHookJs() {
+  return {
+    exec: vi.fn(),
+    show: vi.fn(),
+    hide: vi.fn(),
+    toggle: vi.fn(),
+    addClass: vi.fn(),
+    removeClass: vi.fn(),
+    toggleClass: vi.fn(),
+    transition: vi.fn(),
+    setAttribute: vi.fn(),
+    removeAttribute: vi.fn(),
+    toggleAttribute: vi.fn(),
+    push: vi.fn(),
+    navigate: vi.fn(),
+    patch: vi.fn(),
+    ignoreAttributes: vi.fn(),
+  };
+}
+
+export type MockHookJs = ReturnType<typeof mockHookJs>;
+
+type BaseHookContext<E extends HTMLElement> = {
+  el: E;
+  pushEvent: ReturnType<typeof vi.fn>;
+  js: () => MockHookJs;
+  liveSocket: ReturnType<typeof mockLiveSocket>["ctx"]["liveSocket"];
+  handleEvent: ReturnType<
+    typeof vi.fn<(event: string, callback: (payload: unknown) => void) => CallbackRef>
+  >;
+  removeHandleEvent: ReturnType<typeof vi.fn>;
+};
+
+type MockHookContextOptions<Extra extends Record<string, unknown>> = {
+  connected?: boolean;
+  overrides?: Extra;
+};
+
+export function mockHookContext<
+  E extends HTMLElement,
+  Extra extends Record<string, unknown> = Record<string, never>,
+>(el: E, opts: MockHookContextOptions<Extra> = {}) {
+  const connected = opts.connected ?? false;
+  const { ctx, patch, navigate } = mockLiveSocket(connected);
+  const jsCommands = mockHookJs();
+  jsCommands.patch = patch;
+  jsCommands.navigate = navigate;
+
+  const base: BaseHookContext<E> = {
+    el,
+    pushEvent: vi.fn(),
+    js: () => jsCommands,
+    liveSocket: ctx.liveSocket,
+    handleEvent: vi.fn(
+      (event: string, callback: (payload: unknown) => void): CallbackRef => ({
+        event,
+        callback,
+      })
+    ),
+    removeHandleEvent: vi.fn(),
+  };
+
+  const hook = { ...base, ...opts.overrides } as BaseHookContext<E> & Extra;
+
+  return { hook, patch, navigate, jsCommands, liveSocket: ctx.liveSocket };
+}
+
+type HookLifecycle = "mounted" | "destroyed" | "updated" | "beforeUpdate";
+
+export function callHookLifecycle(
+  hookModule: Partial<Record<HookLifecycle, (this: never) => void>>,
+  hook: object,
+  lifecycle: HookLifecycle
+): void {
+  const fn = hookModule[lifecycle];
+  expect(fn).toBeDefined();
+  fn!.call(hook as never);
+}
+
+export function callHookMounted(
+  hookModule: Partial<Record<"mounted", (this: never) => void>>,
+  hook: object
+): void {
+  callHookLifecycle(hookModule, hook, "mounted");
+}
+
+export function callHookDestroyed(
+  hookModule: Partial<Record<"destroyed", (this: never) => void>>,
+  hook: object
+): void {
+  callHookLifecycle(hookModule, hook, "destroyed");
+}
diff --git a/assets/test/hooks/toast.test.ts b/assets/test/hooks/toast.test.ts
@@ -1,5 +1,8 @@
-import { describe, expect, it } from "vitest";
-import { parseActionSpec } from "../../hooks/toast";
+import { describe, expect, it, afterEach } from "vitest";
+import type { CallbackRef } from "phoenix_live_view/assets/js/types/view_hook";
+import { parseActionSpec, Toast } from "../../hooks/toast";
+import { getToastStore } from "../../components/toast";
+import { callHookDestroyed, callHookMounted, mockHookContext } from "../helpers/mock-hook";
 
 describe("parseActionSpec", () => {
   it("parses valid exec_js action", () => {
@@ -28,3 +31,34 @@ describe("parseActionSpec", () => {
     expect(parseActionSpec({ label: "X", effects: [{ kind: "other", encoded: "x" }] })).toBeNull();
   });
 });
+
+describe("Toast hook lifecycle", () => {
+  const groupId = "toast-hook-dispose-test";
+
+  afterEach(() => {
+    document.getElementById(groupId)?.remove();
+  });
+
+  it("destroyed disposes the toast group store", () => {
+    const el = document.createElement("div");
+    el.id = groupId;
+    document.body.appendChild(el);
+
+    const { hook } = mockHookContext(el, {
+      connected: false,
+      overrides: {
+        groupId: "",
+        handlers: [] as CallbackRef[],
+        domListeners: [] as Array<{ el: HTMLElement; name: string; fn: EventListener }>,
+      },
+    });
+
+    callHookMounted(Toast, hook);
+    expect(getToastStore(groupId)).toBeDefined();
+    expect(el.dataset.toastGroup).toBe("true");
+
+    callHookDestroyed(Toast, hook);
+    expect(getToastStore(groupId)).toBeUndefined();
+    expect(el.dataset.toastGroup).toBeUndefined();
+  });
+});
diff --git a/lib/corex/toast/payload.ex b/lib/corex/toast/payload.ex
@@ -4,8 +4,7 @@ defmodule Corex.Toast.Payload do
   import Corex.Helpers, only: [maybe_put: 3]
 
   alias Corex.Toast.Action, as: ToastAction
-  alias Phoenix.HTML.Safe
-  alias Phoenix.LiveView.{JS, Rendered}
+  alias Phoenix.LiveView.JS
 
   @toast_type_strings Map.new(~W(info success error warning loading)a, &{&1, Atom.to_string(&1)})
 
@@ -106,15 +105,6 @@ defmodule Corex.Toast.Payload do
   defp class_string(_), do: nil
 
   defp action_label_html(label) when is_binary(label), do: label
-
-  defp action_label_html(%Rendered{} = rendered) do
-    rendered |> Safe.to_iodata() |> IO.iodata_to_binary()
-  end
-
-  defp action_label_html({:safe, _} = safe) do
-    safe |> Safe.to_iodata() |> IO.iodata_to_binary()
-  end
-
   defp action_label_html(_), do: nil
 
   defp encode_js_ops(%JS{} = js), do: Phoenix.json_library().encode!(js.ops)
diff --git a/priv/static/corex.js b/priv/static/corex.js
@@ -40320,6 +40320,16 @@ ${err}`);
     container.dataset.toastGroupId = groupId;
     return { group: group2, store: store2 };
   }
+  function disposeToastGroup(groupId) {
+    const group2 = toastGroups.get(groupId);
+    if (!group2) return;
+    const container = group2.el;
+    group2.destroy();
+    toastGroups.delete(groupId);
+    toastStores.delete(groupId);
+    delete container.dataset.toastGroup;
+    delete container.dataset.toastGroupId;
+  }
   function getToastStore(groupId) {
     if (groupId) return toastStores.get(groupId);
     const el = document.querySelector("[data-toast-group]");
@@ -41044,15 +41054,15 @@ ${err}`);
             this.parts.action.hidden = false;
             this.spreadProps(this.parts.action, this.api.getActionTriggerProps());
             const label = (_e = (_d = this.latestProps.action) == null ? void 0 : _d.label) != null ? _e : "";
-            if (this.parts.action.innerHTML !== label) {
-              this.parts.action.innerHTML = label;
+            if (this.parts.action.textContent !== label) {
+              this.parts.action.textContent = label;
             }
             const extraClasses = actionClassTokens(this.latestProps.action);
             if (extraClasses.length) this.parts.action.classList.add(...extraClasses);
           } else {
             this.parts.action.hidden = true;
-            if (this.parts.action.innerHTML) {
-              this.parts.action.innerHTML = "";
+            if (this.parts.action.textContent) {
+              this.parts.action.textContent = "";
             }
           }
           const duration = this.duration;
@@ -41352,6 +41362,9 @@ ${err}`);
               this.removeHandleEvent(handler);
             }
           }
+          if (this.groupId) {
+            disposeToastGroup(this.groupId);
+          }
         }
       };
     }
diff --git a/priv/static/corex.min.js b/priv/static/corex.min.js
diff --git a/priv/static/toast.mjs b/priv/static/toast.mjs
@@ -1260,15 +1260,15 @@ var ToastItem = class extends Component {
       this.parts.action.hidden = false;
       this.spreadProps(this.parts.action, this.api.getActionTriggerProps());
       const label = this.latestProps.action?.label ?? "";
-      if (this.parts.action.innerHTML !== label) {
-        this.parts.action.innerHTML = label;
+      if (this.parts.action.textContent !== label) {
+        this.parts.action.textContent = label;
       }
       const extraClasses = actionClassTokens(this.latestProps.action);
       if (extraClasses.length) this.parts.action.classList.add(...extraClasses);
     } else {
       this.parts.action.hidden = true;
-      if (this.parts.action.innerHTML) {
-        this.parts.action.innerHTML = "";
+      if (this.parts.action.textContent) {
+        this.parts.action.textContent = "";
       }
     }
     const duration = this.duration;
@@ -1378,6 +1378,16 @@ function createToastGroup(container, options) {
   container.dataset.toastGroupId = groupId;
   return { group: group2, store };
 }
+function disposeToastGroup(groupId) {
+  const group2 = toastGroups.get(groupId);
+  if (!group2) return;
+  const container = group2.el;
+  group2.destroy();
+  toastGroups.delete(groupId);
+  toastStores.delete(groupId);
+  delete container.dataset.toastGroup;
+  delete container.dataset.toastGroupId;
+}
 function getToastStore(groupId) {
   if (groupId) return toastStores.get(groupId);
   const el = document.querySelector("[data-toast-group]");
@@ -1643,6 +1653,9 @@ var ToastHook = {
         this.removeHandleEvent(handler);
       }
     }
+    if (this.groupId) {
+      disposeToastGroup(this.groupId);
+    }
   }
 };
 export {
diff --git a/test/components/toast_test.exs b/test/components/toast_test.exs
@@ -405,15 +405,13 @@ defmodule Corex.ToastTest do
       assert Payload.normalize_action(%{label: "Go"}) == nil
     end
 
-    test "normalize_action encodes rendered and safe labels" do
+    test "normalize_action rejects rendered and safe labels" do
       assigns = %{}
       rendered = ~H"Run"
-      action = Payload.normalize_action(%{label: rendered, js: JS.push("go")})
-      assert action["label"] =~ "Run"
+      assert Payload.normalize_action(%{label: rendered, js: JS.push("go")}) == nil
 
       safe = {:safe, "<b>Go</b>"}
-      action2 = Payload.normalize_action(%{label: safe, js: JS.push("go")})
-      assert action2["label"] =~ "Go"
+      assert Payload.normalize_action(%{label: safe, js: JS.push("go")}) == nil
     end
 
     test "update_detail drops unknown keys and nil priority" do

Original file line number	Diff line number	Diff line change
`@@ -168,15 +168,15 @@ export class ToastItem<T = unknown> extends Component<ToastItemProps<T>, Api> {`
`168`	`168`	`this.parts.action.hidden = false;`
`169`	`169`	`this.spreadProps(this.parts.action, this.api.getActionTriggerProps());`
`170`	`170`	`const label = this.latestProps.action?.label ?? "";`
`171`		`- if (this.parts.action.innerHTML !== label) {`
`172`		`- this.parts.action.innerHTML = label;`
	`171`	`+ if (this.parts.action.textContent !== label) {`
	`172`	`+ this.parts.action.textContent = label;`
`173`	`173`	`}`
`174`	`174`	`const extraClasses = actionClassTokens(this.latestProps.action);`
`175`	`175`	`if (extraClasses.length) this.parts.action.classList.add(...extraClasses);`
`176`	`176`	`} else {`
`177`	`177`	`this.parts.action.hidden = true;`
`178`		`- if (this.parts.action.innerHTML) {`
`179`		`- this.parts.action.innerHTML = "";`
	`178`	`+ if (this.parts.action.textContent) {`
	`179`	`+ this.parts.action.textContent = "";`
`180`	`180`	`}`
`181`	`181`	`}`
`182`	`182`