From 0d020bc3f87e0ca5abed7d2a6df8c0380cd67fbb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BC=A0=E7=BF=94?= <xiangzhang1024@gmail.com>
Date: Tue, 24 Mar 2026 10:43:14 +0800
Subject: [PATCH] feat: implement input sanitization

---
 src/lib/security/sanitizer.test.ts |  39 +++++++++++
 src/lib/security/sanitizer.ts      | 105 +++++++++++++++++++++++++++++
 2 files changed, 144 insertions(+)
 create mode 100644 src/lib/security/sanitizer.test.ts
 create mode 100644 src/lib/security/sanitizer.ts

diff --git a/src/lib/security/sanitizer.test.ts b/src/lib/security/sanitizer.test.ts
new file mode 100644
index 0000000..7a42f4b
--- /dev/null
+++ b/src/lib/security/sanitizer.test.ts
@@ -0,0 +1,39 @@
+import { sanitizeInput, sanitizeFormData, detectMaliciousContent } from './sanitizer';
+
+describe('Input Sanitization', () => {
+  test('should remove XSS attempts', () => {
+    const malicious = '<script>alert("xss")</script>Hello';
+    const sanitized = sanitizeInput(malicious);
+    expect(sanitized).not.toContain('<script>');
+    expect(sanitized).toContain('Hello');
+  });
+
+  test('should remove SQL injection attempts', () => {
+    const malicious = "'; DROP TABLE users; --";
+    const sanitized = sanitizeInput(malicious);
+    expect(sanitized).not.toContain('DROP TABLE');
+  });
+
+  test('should detect malicious links', () => {
+    const content = 'Visit http://malicious.com for free money';
+    const isMalicious = detectMaliciousContent(content);
+    expect(isMalicious).toBe(true);
+  });
+
+  test('should sanitize form data', () => {
+    const formData = {
+      name: '<script>alert(1)</script>John',
+      email: 'test@example.com',
+      message: 'Click http://evil.com',
+    };
+    const sanitized = sanitizeFormData(formData);
+    expect(sanitized.name).not.toContain('<script>');
+    expect(sanitized.email).toBe('test@example.com');
+  });
+
+  test('should preserve legitimate content', () => {
+    const legitimate = 'Hello, I need help with my order #12345';
+    const sanitized = sanitizeInput(legitimate);
+    expect(sanitized).toBe(legitimate);
+  });
+});
diff --git a/src/lib/security/sanitizer.ts b/src/lib/security/sanitizer.ts
new file mode 100644
index 0000000..3a253d8
--- /dev/null
+++ b/src/lib/security/sanitizer.ts
@@ -0,0 +1,105 @@
+export interface SanitizedFormData {
+  name: string;
+  email: string;
+  phone?: string;
+  subject: string;
+  message: string;
+}
+
+const XSS_PATTERNS = [
+  /<script[^>]*>.*?<\/script>/gi,
+  /<iframe[^>]*>.*?<\/iframe>/gi,
+  /javascript:/gi,
+  /on\w+\s*=/gi,
+  /<[^>]*>/g,
+];
+
+const SQL_INJECTION_PATTERNS = [
+  /';\s*drop\s+table/gi,
+  /union\s+select/gi,
+  /delete\s+from/gi,
+  /insert\s+into/gi,
+  /exec\s*\(/gi,
+];
+
+const MALICIOUS_URL_PATTERNS = [
+  /\.ru\b/gi,
+  /\.tk\b/gi,
+  /\.ml\b/gi,
+  /\.ga\b/gi,
+  /bit\.ly/gi,
+];
+
+export function sanitizeInput(input: string): string {
+  if (!input || typeof input !== 'string') {
+    return '';
+  }
+
+  let sanitized = input.trim();
+
+  XSS_PATTERNS.forEach(pattern => {
+    sanitized = sanitized.replace(pattern, '');
+  });
+
+  SQL_INJECTION_PATTERNS.forEach(pattern => {
+    sanitized = sanitized.replace(pattern, '');
+  });
+
+  return sanitized;
+}
+
+export function sanitizeFormData(formData: any): SanitizedFormData {
+  return {
+    name: sanitizeInput(formData.name || ''),
+    email: formData.email || '',
+    phone: formData.phone ? sanitizeInput(formData.phone) : undefined,
+    subject: sanitizeInput(formData.subject || ''),
+    message: sanitizeInput(formData.message || ''),
+  };
+}
+
+export function detectMaliciousContent(content: string): boolean {
+  if (!content || typeof content !== 'string') {
+    return false;
+  }
+
+  const lowerContent = content.toLowerCase();
+
+  const suspiciousKeywords = [
+    'free money',
+    'bitcoin',
+    'cryptocurrency',
+    'lottery',
+    'winner',
+    'prize',
+    'inheritance',
+    'nigerian prince',
+    'urgent',
+    'act now',
+    'limited time',
+  ];
+
+  for (const keyword of suspiciousKeywords) {
+    if (lowerContent.includes(keyword)) {
+      return true;
+    }
+  }
+
+  for (const pattern of MALICIOUS_URL_PATTERNS) {
+    if (pattern.test(content)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+export function validateEmail(email: string): boolean {
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  return emailRegex.test(email);
+}
+
+export function validatePhone(phone: string): boolean {
+  const phoneRegex = /^1[3-9]\d{9}$/;
+  return phoneRegex.test(phone);
+}