Files
tm-landing/XSS_PROTECTION_SUMMARY.md
AmirReza Jamali 3e5e135b47 feat(security): Add XSS protection with DOMPurify sanitization
- Add sanitize.ts utility module with sanitizeText(), sanitizeUrl(), and sanitizeHtml() functions
- Implement server-side HTML entity escaping and client-side DOMPurify sanitization
- Add comprehensive test suite for sanitization functions in lib/__tests__/sanitize.test.ts
- Secure marketing pages by sanitizing all CMS data (hero, features, challenges, advantages, footer)
- Secure inquiries form by sanitizing field labels, placeholders, and button text
- Add SECURITY.md documentation outlining XSS protection measures and best practices
- Add USAGE_EXAMPLES.md with detailed examples of sanitization function usage
- Add XSS_PROTECTION_SUMMARY.md with implementation overview
- Update package.json to include dompurify (^3.3.0) dependency
- Protects against common XSS attack vectors including script injection, event handlers, and malicious URLs
2025-11-30 11:14:42 +03:30

3.1 KiB

XSS Protection Implementation Summary

What Was Done

Successfully implemented comprehensive XSS (Cross-Site Scripting) protection across the application using DOMPurify.

Files Created

  1. lib/sanitize.ts - Core sanitization utilities

    • sanitizeText() - Strips all HTML tags
    • sanitizeHtml() - Allows specific HTML tags
    • sanitizeUrl() - Validates and sanitizes URLs
  2. SECURITY.md - Security documentation

  3. USAGE_EXAMPLES.md - Practical usage examples

  4. lib/__tests__/sanitize.test.ts - Unit tests

Files Modified

  1. app/marketing/[id]/page.tsx

    • Sanitized all CMS data: titles, descriptions, URLs, icons
    • Protected hero section, features, challenges, advantages, footer
  2. app/_inquires/form.tsx

    • Sanitized form field labels and placeholders
    • Sanitized submit button text
  3. app/_inquires/page.tsx

    • Sanitized section titles and descriptions

Protected Data Points

Marketing Page (/marketing/[id])

  • Hero title and description
  • Hero button text and link
  • Feature cards (titles, descriptions, icons)
  • Challenge cards (titles, descriptions, icons)
  • Advantage cards (titles, descriptions, icons)
  • Footer (email, phone, location, tagline, copyright)

Inquiries Form

  • Form field labels
  • Form field placeholders
  • Submit button text
  • Section titles and descriptions

How It Works

Server-Side (SSR)

  • Uses HTML entity escaping
  • Fast and lightweight
  • No external dependencies needed

Client-Side

  • Uses DOMPurify library
  • Advanced HTML sanitization
  • Configurable allowed tags

Security Features

  1. Script Injection Protection

    • Blocks <script> tags
    • Removes event handlers (onclick, onerror, etc.)
  2. URL Injection Protection

    • Blocks javascript: URLs
    • Blocks data: URLs
    • Blocks vbscript: URLs
  3. HTML Injection Protection

    • Escapes dangerous characters
    • Removes malicious attributes
    • Strips unwanted tags

Testing

Build successful:

npm run build
# ✓ Compiled successfully
# ✓ Linting and checking validity of types
# ✓ Collecting page data
# ✓ Generating static pages (7/7)

Dependencies

  • dompurify (^3.3.0) - Already installed

Usage

import { sanitizeText, sanitizeUrl, sanitizeHtml } from "@/lib/sanitize";

// Plain text
<h1>{sanitizeText(cmsData.title)}</h1>

// URLs
<Link href={sanitizeUrl(cmsData.link) || "#"}>Click</Link>

// HTML content
<div dangerouslySetInnerHTML={{ __html: sanitizeHtml(cmsData.content) }} />

Next Steps (Optional)

  1. Add unit tests for sanitization functions
  2. Set up automated security scanning
  3. Implement Content Security Policy (CSP) headers
  4. Add rate limiting for form submissions
  5. Implement CSRF protection for forms

Verification

To verify XSS protection is working, try injecting malicious content through the CMS:

// These will be sanitized:
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
javascript:alert('XSS')

All malicious content will be escaped or removed before rendering.