ragusa-it/ragusaitweb
1
0
Fork 0
Code Issues Pull Requests 6 Actions Packages Projects Releases Wiki Activity

feat(security): enhance input sanitization and expand blocked domains

Browse Source 
- Add backtick escaping to `sanitizeInput` to prevent template literal injection
- Expand `BLOCKED_DOMAINS` with additional disposable email providers
- Add comprehensive tests for new security rules

Sentinel-Ref: 2026-02-14
Security-Priority: Low (Enhancement)

Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>
This commit is contained in:
google-labs-jules[bot]
2026-02-04 01:52:28 +00:00
parent 2587b9dd29
commit a074560a90
2 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/utils/security.test.ts
View File

@@ -10,6 +10,7 @@ describe('Security Utils', () => {
expect(sanitizeInput('foo & bar')).toBe('foo &amp; bar'); expect(sanitizeInput('foo & bar')).toBe('foo &amp; bar');
expect(sanitizeInput('"quotes"')).toBe('&quot;quotes&quot;'); expect(sanitizeInput('"quotes"')).toBe('&quot;quotes&quot;');
expect(sanitizeInput("'single quotes'")).toBe('&#039;single quotes&#039;'); expect(sanitizeInput("'single quotes'")).toBe('&#039;single quotes&#039;');
expect(sanitizeInput('`backticks`')).toBe('&#96;backticks&#96;');
expect(sanitizeInput('>')).toBe('&gt;'); expect(sanitizeInput('>')).toBe('&gt;');
}); });
@@ -25,6 +26,10 @@ describe('Security Utils', () => {
const expected = '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;'; const expected = '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;';
expect(sanitizeInput(input)).toBe(expected); expect(sanitizeInput(input)).toBe(expected);
}); });
it('escapes template literal injection vectors', () => {
expect(sanitizeInput('`${alert(1)}`')).toBe('&#96;${alert(1)}&#96;');
});
}); });
describe('isValidEmail', () => { describe('isValidEmail', () => {
@@ -74,6 +79,9 @@ describe('Security Utils', () => {
expect(isValidEmail('spam@mailinator.com')).toBe(false); expect(isValidEmail('spam@mailinator.com')).toBe(false);
expect(isValidEmail('bot@yopmail.com')).toBe(false); expect(isValidEmail('bot@yopmail.com')).toBe(false);
expect(isValidEmail('temp@temp-mail.org')).toBe(false); expect(isValidEmail('temp@temp-mail.org')).toBe(false);
expect(isValidEmail('spam@sharklasers.com')).toBe(false);
expect(isValidEmail('spam@guerrillamail.net')).toBe(false);
expect(isValidEmail('spam@dispostable.com')).toBe(false);
}); });
it('rejects blocked domains regardless of case', () => { it('rejects blocked domains regardless of case', () => {

9
src/utils/security.ts
View File

@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
.replace(/</g, "&lt;") .replace(/</g, "&lt;")
.replace(/>/g, "&gt;") .replace(/>/g, "&gt;")
.replace(/"/g, "&quot;") .replace(/"/g, "&quot;")
.replace(/'/g, "&#039;"); .replace(/'/g, "&#039;")
.replace(/`/g, "&#96;");
} }
// Common disposable email providers and invalid domains // Common disposable email providers and invalid domains
@@ -27,6 +28,12 @@ const BLOCKED_DOMAINS = new Set([
"guerrillamail.com", "guerrillamail.com",
"10minutemail.com", "10minutemail.com",
"trashmail.com", "trashmail.com",
"sharklasers.com",
"guerrillamail.net",
"guerrillamail.org",
"guerrillamail.biz",
"dispostable.com",
"fake-email.com",
]); ]);
/** /**