# Security - XSS Protection This document outlines the XSS (Cross-Site Scripting) protection measures implemented in this application. ## Overview All external data from the CMS API is sanitized using DOMPurify before being rendered to prevent XSS attacks. ## Sanitization Functions Located in `lib/sanitize.ts`: ### `sanitizeText()` Strips all HTML tags from text. Use this for plain text content that should never contain HTML. ```typescript import { sanitizeText } from "@/lib/sanitize"; // Example usage

{sanitizeText(cmsData?.title)}

; ``` ### `sanitizeHtml()` Allows specific HTML tags while removing dangerous content. Use this when you need to render formatted text. ```typescript import { sanitizeHtml } from "@/lib/sanitize"; // Example usage with default allowed tags (b, i, em, strong, a, br, p)
// Example with custom allowed tags
``` ### `sanitizeUrl()` Sanitizes URLs to prevent javascript:, data:, and vbscript: URI attacks. ```typescript import { sanitizeUrl } from "@/lib/sanitize"; // Example usage Click here ``` ## Protected Areas The following components have been secured: 1. **Marketing Pages** (`app/marketing/[id]/page.tsx`) - Hero section (title, description, button text, links) - Features section (titles, descriptions, icons) - Challenges section (titles, descriptions, icons) - Advantages section (titles, descriptions, icons) - Footer (email, phone, location, tagline, copyright) 2. **Inquiries Form** (`app/_inquires/form.tsx`, `app/_inquires/page.tsx`) - Form field labels and placeholders - Submit button text - Section titles and descriptions ## Best Practices 1. **Always sanitize external data** - Any data from APIs, databases, or user input should be sanitized 2. **Use the right function** - Use `sanitizeText()` for plain text, `sanitizeUrl()` for URLs, and `sanitizeHtml()` for formatted content 3. **Validate on the server** - While client-side sanitization helps, always validate and sanitize on the server as well 4. **Keep DOMPurify updated** - Regularly update the DOMPurify package to get the latest security fixes ## Server-Side Rendering The sanitization functions work in both client and server environments: - **Server-side**: Uses HTML entity escaping to prevent XSS attacks - **Client-side**: Uses DOMPurify for advanced HTML sanitization This hybrid approach ensures: 1. Fast server-side rendering without heavy dependencies 2. Robust client-side protection with DOMPurify 3. No build issues with Node.js-specific modules ## Dependencies - `dompurify` (^3.3.0) - HTML sanitization library (client-side only) ## Testing XSS Protection To verify XSS protection is working, try injecting malicious content through the CMS: ```javascript // These should be sanitized and rendered harmless: javascript:alert('XSS') ``` All of these should be stripped or neutralized by the sanitization functions.