XSS sanitization is incomplete, some attributes are missing such as oncontentvisibilityautostatechange=. This allows for the email preview to render HTML that executes arbitrary JavaScript,

Sanitization is implemented here: https://github.com/novuhq/novu/blob/next/libs/application-generic/src/services/sanitize/sanitizer.service.ts

With allowedAttributes: false, all attributes are allowed through sanitize-html. Even dangerous ones like oncontentvisibilityautostatechange=. The DANGEROUS ATTRIBUTES array tries to handle this by denying more attributes after the fact, but this list is incomplete. I copied all well-known payloads from: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet And found that the oncontentvisibilityautostatechange= attribute isn't detected.

PS. there seems to also be another even more lax sanitizer here, but I wasn't able to figure out where it is used: https://github.com/novuhq/novu/blob/next/packages/framework/src/utils/sanitize.utils.ts

<a oncontentvisibilityautostatechange="alert(window.origin)" style="display:block;content-visibility:auto">

https://dashboard.novu.co/env/dev env gVtdgDEhgf1CetwX/workflows/onboarding-demo-workflow wf gVtdh2uV0h7j3ffK/steps/email-step st gVtqdgIrOkYVvP9F/editor

This may look like a Self-XSS similar to https://github.com/novuhq/novu/security/advisories/GHSA-w8vm-jx29-52fr, but it can be more impactful. First of all, if multiple users can access this dashboard, the link above can directly bring the to the email step editor to trigger the XSS. An attacker can also use the Google/GitHub OAuth flows without completing the code callback step, and send that URL to the victim to intentionally log the vicitm into the attacker's account. If the attacker has prepared an XSS payload there, they will now be allowed to view it, so it triggers.