feat(security): Add XSS protection with DOMPurify sanitization
- Add sanitize.ts utility module with sanitizeText(), sanitizeUrl(), and sanitizeHtml() functions - Implement server-side HTML entity escaping and client-side DOMPurify sanitization - Add comprehensive test suite for sanitization functions in lib/__tests__/sanitize.test.ts - Secure marketing pages by sanitizing all CMS data (hero, features, challenges, advantages, footer) - Secure inquiries form by sanitizing field labels, placeholders, and button text - Add SECURITY.md documentation outlining XSS protection measures and best practices - Add USAGE_EXAMPLES.md with detailed examples of sanitization function usage - Add XSS_PROTECTION_SUMMARY.md with implementation overview - Update package.json to include dompurify (^3.3.0) dependency - Protects against common XSS attack vectors including script injection, event handlers, and malicious URLs
This commit is contained in:
@@ -0,0 +1,61 @@
|
||||
import { sanitizeHtml, sanitizeText, sanitizeUrl } from "../sanitize";
|
||||
|
||||
describe("Sanitization Functions", () => {
|
||||
describe("sanitizeText", () => {
|
||||
it("should remove HTML tags", () => {
|
||||
const dirty = "<script>alert('XSS')</script>Hello";
|
||||
const clean = sanitizeText(dirty);
|
||||
expect(clean).not.toContain("<script>");
|
||||
expect(clean).not.toContain("</script>");
|
||||
});
|
||||
|
||||
it("should handle null and undefined", () => {
|
||||
expect(sanitizeText(null)).toBe("");
|
||||
expect(sanitizeText(undefined)).toBe("");
|
||||
});
|
||||
|
||||
it("should escape dangerous characters", () => {
|
||||
const dirty = "<img src=x onerror=alert('XSS')>";
|
||||
const clean = sanitizeText(dirty);
|
||||
expect(clean).not.toContain("<img");
|
||||
});
|
||||
});
|
||||
|
||||
describe("sanitizeUrl", () => {
|
||||
it("should block javascript: URLs", () => {
|
||||
const dirty = "javascript:alert('XSS')";
|
||||
const clean = sanitizeUrl(dirty);
|
||||
expect(clean).toBe("");
|
||||
});
|
||||
|
||||
it("should block data: URLs", () => {
|
||||
const dirty = "data:text/html,<script>alert('XSS')</script>";
|
||||
const clean = sanitizeUrl(dirty);
|
||||
expect(clean).toBe("");
|
||||
});
|
||||
|
||||
it("should allow safe URLs", () => {
|
||||
const safe = "https://example.com";
|
||||
const clean = sanitizeUrl(safe);
|
||||
expect(clean).toBeTruthy();
|
||||
});
|
||||
|
||||
it("should handle null and undefined", () => {
|
||||
expect(sanitizeUrl(null)).toBe("");
|
||||
expect(sanitizeUrl(undefined)).toBe("");
|
||||
});
|
||||
});
|
||||
|
||||
describe("sanitizeHtml", () => {
|
||||
it("should remove script tags", () => {
|
||||
const dirty = "<p>Hello</p><script>alert('XSS')</script>";
|
||||
const clean = sanitizeHtml(dirty);
|
||||
expect(clean).not.toContain("<script>");
|
||||
});
|
||||
|
||||
it("should handle null and undefined", () => {
|
||||
expect(sanitizeHtml(null)).toBe("");
|
||||
expect(sanitizeHtml(undefined)).toBe("");
|
||||
});
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user