novalon/novalon-website
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement input sanitization

Browse Source
This commit is contained in:
张翔
2026-03-24 10:43:14 +08:00
parent c3dee9e2e7
commit 0d020bc3f8
2 changed files with 144 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/lib/security/sanitizer.test.ts
+39
View File
@@ -0,0 +1,39 @@
import { sanitizeInput, sanitizeFormData, detectMaliciousContent } from './sanitizer';
describe('Input Sanitization', () => {
test('should remove XSS attempts', () => {
const malicious = '<script>alert("xss")</script>Hello';
const sanitized = sanitizeInput(malicious);
expect(sanitized).not.toContain('<script>');
expect(sanitized).toContain('Hello');
});
test('should remove SQL injection attempts', () => {
const malicious = "'; DROP TABLE users; --";
const sanitized = sanitizeInput(malicious);
expect(sanitized).not.toContain('DROP TABLE');
});
test('should detect malicious links', () => {
const content = 'Visit http://malicious.com for free money';
const isMalicious = detectMaliciousContent(content);
expect(isMalicious).toBe(true);
});
test('should sanitize form data', () => {
const formData = {
name: '<script>alert(1)</script>John',
email: 'test@example.com',
message: 'Click http://evil.com',
};
const sanitized = sanitizeFormData(formData);
expect(sanitized.name).not.toContain('<script>');
expect(sanitized.email).toBe('test@example.com');
});
test('should preserve legitimate content', () => {
const legitimate = 'Hello, I need help with my order #12345';
const sanitized = sanitizeInput(legitimate);
expect(sanitized).toBe(legitimate);
});
});
src/lib/security/sanitizer.ts
+105
View File
@@ -0,0 +1,105 @@
export interface SanitizedFormData {
name: string;
email: string;
phone?: string;
subject: string;
message: string;
}
const XSS_PATTERNS = [
/<script[^>]*>.*?<\/script>/gi,
/<iframe[^>]*>.*?<\/iframe>/gi,
/javascript:/gi,
/on\w+\s*=/gi,
/<[^>]*>/g,
];
const SQL_INJECTION_PATTERNS = [
/';\s*drop\s+table/gi,
/union\s+select/gi,
/delete\s+from/gi,
/insert\s+into/gi,
/exec\s*\(/gi,
];
const MALICIOUS_URL_PATTERNS = [
/\.ru\b/gi,
/\.tk\b/gi,
/\.ml\b/gi,
/\.ga\b/gi,
/bit\.ly/gi,
];
export function sanitizeInput(input: string): string {
if (!input || typeof input !== 'string') {
return '';
}
let sanitized = input.trim();
XSS_PATTERNS.forEach(pattern => {
sanitized = sanitized.replace(pattern, '');
});
SQL_INJECTION_PATTERNS.forEach(pattern => {
sanitized = sanitized.replace(pattern, '');
});
return sanitized;
}
export function sanitizeFormData(formData: any): SanitizedFormData {
return {
name: sanitizeInput(formData.name || ''),
email: formData.email || '',
phone: formData.phone ? sanitizeInput(formData.phone) : undefined,
subject: sanitizeInput(formData.subject || ''),
message: sanitizeInput(formData.message || ''),
};
}
export function detectMaliciousContent(content: string): boolean {
if (!content || typeof content !== 'string') {
return false;
}
const lowerContent = content.toLowerCase();
const suspiciousKeywords = [
'free money',
'bitcoin',
'cryptocurrency',
'lottery',
'winner',
'prize',
'inheritance',
'nigerian prince',
'urgent',
'act now',
'limited time',
];
for (const keyword of suspiciousKeywords) {
if (lowerContent.includes(keyword)) {
return true;
}
}
for (const pattern of MALICIOUS_URL_PATTERNS) {
if (pattern.test(content)) {
return true;
}
}
return false;
}
export function validateEmail(email: string): boolean {
const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
return emailRegex.test(email);
}
export function validatePhone(phone: string): boolean {
const phoneRegex = /^1[3-9]\d{9}$/;
return phoneRegex.test(phone);
}