# XSS Protection Usage Examples
## Basic Usage
### Sanitizing Text Content
```typescript
import { sanitizeText } from "@/lib/sanitize";
// In a component
function MyComponent({ cmsData }) {
return (
{sanitizeText(cmsData.title)}
{sanitizeText(cmsData.description)}
);
}
```
### Sanitizing URLs
```typescript
import { sanitizeUrl } from "@/lib/sanitize";
import Link from "next/link";
import Image from "next/image";
function MyComponent({ cmsData }) {
return (
{/* For links */}
Click here
{/* For images */}
);
}
```
### Sanitizing HTML Content
```typescript
import { sanitizeHtml } from "@/lib/sanitize";
function MyComponent({ cmsData }) {
return (
{/* With default allowed tags (b, i, em, strong, a, br, p) */}
{/* With custom allowed tags */}
);
}
```
## Real-World Examples
### Example 1: Dynamic Marketing Page
```typescript
import { sanitizeText, sanitizeUrl } from "@/lib/sanitize";
export default function MarketingPage({ cmsData }) {
return (
{sanitizeText(cmsData.hero.title)}
{sanitizeText(cmsData.hero.description)}
{sanitizeText(cmsData.hero.buttonText)}
{cmsData.features.map((feature) => (
{sanitizeText(feature.title)}
{sanitizeText(feature.description)}
))}
);
}
```
### Example 2: Dynamic Form Fields
```typescript
import { sanitizeText } from "@/lib/sanitize";
import { useForm } from "react-hook-form";
export default function DynamicForm({ contactData }) {
const { register, handleSubmit } = useForm();
return (
);
}
```
### Example 3: User-Generated Content
```typescript
import { sanitizeHtml } from "@/lib/sanitize";
export default function CommentSection({ comments }) {
return (
{comments.map((comment) => (
{sanitizeText(comment.author)}
{/* Allow only basic formatting tags */}
))}
);
}
```
## Common XSS Attack Vectors (All Blocked)
```typescript
// These malicious inputs will be sanitized:
// 1. Script injection
const xss1 = "";
sanitizeText(xss1); // Safe: <script>alert('XSS')</script>
// 2. Event handler injection
const xss2 = "
";
sanitizeText(xss2); // Safe: <img src=x onerror=alert('XSS')>
// 3. JavaScript URL
const xss3 = "javascript:alert('XSS')";
sanitizeUrl(xss3); // Returns: ""
// 4. Data URL with script
const xss4 = "data:text/html,";
sanitizeUrl(xss4); // Returns: ""
// 5. Iframe injection
const xss5 = "";
sanitizeText(xss5); // Safe: <iframe src='javascript:alert(1)'></iframe>
```
## Best Practices
1. **Always sanitize external data** before rendering
2. **Use the appropriate function** for the content type
3. **Provide fallback values** for URLs and optional content
4. **Never trust user input** or external API data
5. **Keep dependencies updated** to get latest security patches
## When NOT to Sanitize
- Static content defined in your codebase
- Environment variables (but validate them)
- Data from trusted internal APIs (but still validate)
- Constants and configuration values
## Testing Your Sanitization
```typescript
// Test with malicious input
const testData = {
title: "Hello",
link: "javascript:alert('XSS')",
description: "
",
};
// All should be safe
console.log(sanitizeText(testData.title)); // No script execution
console.log(sanitizeUrl(testData.link)); // Empty string
console.log(sanitizeText(testData.description)); // No image/script
```