feat: implement input sanitization

src/lib/security/sanitizer.test.ts

@@ -0,0 +1,39 @@
+import { sanitizeInput, sanitizeFormData, detectMaliciousContent } from './sanitizer';
+
+describe('Input Sanitization', () => {
+  test('should remove XSS attempts', () => {
+    const malicious = '<script>alert("xss")</script>Hello';
+    const sanitized = sanitizeInput(malicious);
+    expect(sanitized).not.toContain('<script>');
+    expect(sanitized).toContain('Hello');
+  });
+
+  test('should remove SQL injection attempts', () => {
+    const malicious = "'; DROP TABLE users; --";
+    const sanitized = sanitizeInput(malicious);
+    expect(sanitized).not.toContain('DROP TABLE');
+  });
+
+  test('should detect malicious links', () => {
+    const content = 'Visit http://malicious.com for free money';
+    const isMalicious = detectMaliciousContent(content);
+    expect(isMalicious).toBe(true);
+  });
+
+  test('should sanitize form data', () => {
+    const formData = {
+      name: '<script>alert(1)</script>John',
+      email: 'test@example.com',
+      message: 'Click http://evil.com',
+    };
+    const sanitized = sanitizeFormData(formData);
+    expect(sanitized.name).not.toContain('<script>');
+    expect(sanitized.email).toBe('test@example.com');
+  });
+
+  test('should preserve legitimate content', () => {
+    const legitimate = 'Hello, I need help with my order #12345';
+    const sanitized = sanitizeInput(legitimate);
+    expect(sanitized).toBe(legitimate);
+  });
+});

src/lib/security/sanitizer.ts

@@ -0,0 +1,105 @@
+export interface SanitizedFormData {
+  name: string;
+  email: string;
+  phone?: string;
+  subject: string;
+  message: string;
+}
+
+const XSS_PATTERNS = [
+  /<script[^>]*>.*?<\/script>/gi,
+  /<iframe[^>]*>.*?<\/iframe>/gi,
+  /javascript:/gi,
+  /on\w+\s*=/gi,
+  /<[^>]*>/g,
+];
+
+const SQL_INJECTION_PATTERNS = [
+  /';\s*drop\s+table/gi,
+  /union\s+select/gi,
+  /delete\s+from/gi,
+  /insert\s+into/gi,
+  /exec\s*\(/gi,
+];
+
+const MALICIOUS_URL_PATTERNS = [
+  /\.ru\b/gi,
+  /\.tk\b/gi,
+  /\.ml\b/gi,
+  /\.ga\b/gi,
+  /bit\.ly/gi,
+];
+
+export function sanitizeInput(input: string): string {
+  if (!input || typeof input !== 'string') {
+    return '';
+  }
+
+  let sanitized = input.trim();
+
+  XSS_PATTERNS.forEach(pattern => {
+    sanitized = sanitized.replace(pattern, '');
+  });
+
+  SQL_INJECTION_PATTERNS.forEach(pattern => {
+    sanitized = sanitized.replace(pattern, '');
+  });
+
+  return sanitized;
+}
+
+export function sanitizeFormData(formData: any): SanitizedFormData {
+  return {
+    name: sanitizeInput(formData.name || ''),
+    email: formData.email || '',
+    phone: formData.phone ? sanitizeInput(formData.phone) : undefined,
+    subject: sanitizeInput(formData.subject || ''),
+    message: sanitizeInput(formData.message || ''),
+  };
+}
+
+export function detectMaliciousContent(content: string): boolean {
+  if (!content || typeof content !== 'string') {
+    return false;
+  }
+
+  const lowerContent = content.toLowerCase();
+
+  const suspiciousKeywords = [
+    'free money',
+    'bitcoin',
+    'cryptocurrency',
+    'lottery',
+    'winner',
+    'prize',
+    'inheritance',
+    'nigerian prince',
+    'urgent',
+    'act now',
+    'limited time',
+  ];
+
+  for (const keyword of suspiciousKeywords) {
+    if (lowerContent.includes(keyword)) {
+      return true;
+    }
+  }
+
+  for (const pattern of MALICIOUS_URL_PATTERNS) {
+    if (pattern.test(content)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+export function validateEmail(email: string): boolean {
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  return emailRegex.test(email);
+}
+
+export function validatePhone(phone: string): boolean {
+  const phoneRegex = /^1[3-9]\d{9}$/;
+  return phoneRegex.test(phone);
+}