ragusa-it/ragusaitweb
1
0
Fork 0
Code Issues Pull Requests 6 Actions Packages Projects Releases Wiki Activity

🛡️ Sentinel: [Enhancement] Sanitize backticks in user input #66

Closed
ragusa-it wants to merge 1 commits from sentinel-sanitize-backticks-12450738209153068022 into main
pull from: sentinel-sanitize-backticks-12450738209153068022
merge into: ragusa-it:main
Conversation 1 Commits 1 Files Changed 2 +9 -1
2 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 55ad35ad2a - Show all commits

7
src/utils/security.test.ts
View File

@@ -10,6 +10,7 @@ describe('Security Utils', () => {
expect(sanitizeInput('foo & bar')).toBe('foo & bar'); expect(sanitizeInput('foo & bar')).toBe('foo & bar');
expect(sanitizeInput('"quotes"')).toBe('"quotes"'); expect(sanitizeInput('"quotes"')).toBe('"quotes"');
expect(sanitizeInput("'single quotes'")).toBe(''single quotes''); expect(sanitizeInput("'single quotes'")).toBe(''single quotes'');
expect(sanitizeInput('`backticks`')).toBe('`backticks`');
expect(sanitizeInput('>')).toBe('>'); expect(sanitizeInput('>')).toBe('>');
}); });
@@ -25,6 +26,12 @@ describe('Security Utils', () => {
const expected = '<script>alert("XSS")</script>'; const expected = '<script>alert("XSS")</script>';
expect(sanitizeInput(input)).toBe(expected); expect(sanitizeInput(input)).toBe(expected);
}); });
it('handles mixed content with backticks', () => {
const input = '`alert(1)`';
const expected = '`alert(1)`';
expect(sanitizeInput(input)).toBe(expected);
});
}); });
describe('isValidEmail', () => { describe('isValidEmail', () => {

3
src/utils/security.ts
View File

@@ -14,7 +14,8 @@ export function sanitizeInput(input: string): string {
.replace(/</g, "&lt;") .replace(/</g, "&lt;")
.replace(/>/g, "&gt;") .replace(/>/g, "&gt;")
.replace(/"/g, "&quot;") .replace(/"/g, "&quot;")
.replace(/'/g, "&#039;"); .replace(/'/g, "&#039;")
.replace(/`/g, "&#96;");
} }
// Common disposable email providers and invalid domains // Common disposable email providers and invalid domains