# XSS Protection Usage Examples ## Basic Usage ### Sanitizing Text Content ```typescript import { sanitizeText } from "@/lib/sanitize"; // In a component function MyComponent({ cmsData }) { return (

{sanitizeText(cmsData.title)}

{sanitizeText(cmsData.description)}

); } ``` ### Sanitizing URLs ```typescript import { sanitizeUrl } from "@/lib/sanitize"; import Link from "next/link"; import Image from "next/image"; function MyComponent({ cmsData }) { return (
{/* For links */} Click here {/* For images */} {sanitizeText(cmsData.imageAlt)}
); } ``` ### Sanitizing HTML Content ```typescript import { sanitizeHtml } from "@/lib/sanitize"; function MyComponent({ cmsData }) { return (
{/* With default allowed tags (b, i, em, strong, a, br, p) */}
{/* With custom allowed tags */}
); } ``` ## Real-World Examples ### Example 1: Dynamic Marketing Page ```typescript import { sanitizeText, sanitizeUrl } from "@/lib/sanitize"; export default function MarketingPage({ cmsData }) { return (

{sanitizeText(cmsData.hero.title)}

{sanitizeText(cmsData.hero.description)}

{sanitizeText(cmsData.hero.buttonText)}
{cmsData.features.map((feature) => (
{sanitizeText(feature.title)}

{sanitizeText(feature.title)}

{sanitizeText(feature.description)}

))}
); } ``` ### Example 2: Dynamic Form Fields ```typescript import { sanitizeText } from "@/lib/sanitize"; import { useForm } from "react-hook-form"; export default function DynamicForm({ contactData }) { const { register, handleSubmit } = useForm(); return (
{contactData.fields.map((field) => (
))}
); } ``` ### Example 3: User-Generated Content ```typescript import { sanitizeHtml } from "@/lib/sanitize"; export default function CommentSection({ comments }) { return (
{comments.map((comment) => (

{sanitizeText(comment.author)}

{/* Allow only basic formatting tags */}
))}
); } ``` ## Common XSS Attack Vectors (All Blocked) ```typescript // These malicious inputs will be sanitized: // 1. Script injection const xss1 = ""; sanitizeText(xss1); // Safe: <script>alert('XSS')</script> // 2. Event handler injection const xss2 = ""; sanitizeText(xss2); // Safe: <img src=x onerror=alert('XSS')> // 3. JavaScript URL const xss3 = "javascript:alert('XSS')"; sanitizeUrl(xss3); // Returns: "" // 4. Data URL with script const xss4 = "data:text/html,"; sanitizeUrl(xss4); // Returns: "" // 5. Iframe injection const xss5 = ""; sanitizeText(xss5); // Safe: <iframe src='javascript:alert(1)'></iframe> ``` ## Best Practices 1. **Always sanitize external data** before rendering 2. **Use the appropriate function** for the content type 3. **Provide fallback values** for URLs and optional content 4. **Never trust user input** or external API data 5. **Keep dependencies updated** to get latest security patches ## When NOT to Sanitize - Static content defined in your codebase - Environment variables (but validate them) - Data from trusted internal APIs (but still validate) - Constants and configuration values ## Testing Your Sanitization ```typescript // Test with malicious input const testData = { title: "Hello", link: "javascript:alert('XSS')", description: "", }; // All should be safe console.log(sanitizeText(testData.title)); // No script execution console.log(sanitizeUrl(testData.link)); // Empty string console.log(sanitizeText(testData.description)); // No image/script ```