Recent update has broken SET and creating puppeteer scripts

Since the last update or two, my flows that use SET to create puppeteer scripts are now showing this error:

Any ideas whats caused this?

Stack
Error: Expression is not valid: window is not allowed [Error in parameter: "values.string"]
    at Expression.resolveSimpleParameterValue (/usr/local/lib/node_modules/n8n/node_modules/n8n-workflow/dist/src/Expression.js:92:19)
    at resolveParameterValue (/usr/local/lib/node_modules/n8n/node_modules/n8n-workflow/dist/src/Expression.js:132:25)
    at Expression.getParameterValue (/usr/local/lib/node_modules/n8n/node_modules/n8n-workflow/dist/src/Expression.js:152:31)
    at resolveParameterValue (/usr/local/lib/node_modules/n8n/node_modules/n8n-workflow/dist/src/Expression.js:130:29)
    at Expression.getParameterValue (/usr/local/lib/node_modules/n8n/node_modules/n8n-workflow/dist/src/Expression.js:140:33)
    at getNodeParameter (/usr/local/lib/node_modules/n8n/node_modules/n8n-core/dist/src/NodeExecuteFunctions.js:904:42)
    at Object.getNodeParameter (/usr/local/lib/node_modules/n8n/node_modules/n8n-core/dist/src/NodeExecuteFunctions.js:1124:24)
    at Object.execute (/usr/local/lib/node_modules/n8n/node_modules/n8n-nodes-base/dist/nodes/Set/Set.node.js:159:18)
    at Workflow.runNode (/usr/local/lib/node_modules/n8n/node_modules/n8n-workflow/dist/src/Workflow.js:592:51)
    at /usr/local/lib/node_modules/n8n/node_modules/n8n-core/dist/src/WorkflowExecute.js:455:64

image

I’ve always been able to use a previous value that has an existing expression in it, its how 90% of my flows work by using dynamic data for the previous and next nodes, is this a bug or no longer supported?

Sounds like the XSS protection recently merged. Specifically the window object - N8N-2962 prevent expressions XSS by alexgrozav · Pull Request #3366 · n8n-io/n8n · GitHub

1 Like

well if that is the case, it might need to be reviewed as its broken a what i feel is a core feature of n8n

Is that the only expression in that node? Because that’s completely normal usage and I don’t even see an attempt to access a window object there…

Other than of course the field looks to be a JS script but I don’t imagine the expression protection would be looking at text outside the curlies :man_shrugging:

All good, looks like it’s under control N8N-2962 prevent expressions XSS by alexgrozav · Pull Request #3366 · n8n-io/n8n · GitHub

It is the only expression and yeah it’s a JS puppeteer script

Hah, just looked at the regex, it will match anything with .window. which might occur quite often.

yeah its a pain :frowning:

It’s broken 50% of my flows

Got released with [email protected]

1 Like