Press n or j to go to the next uncovered block, b, p or k for the previous block.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 | /**
* Input Sanitizer Utility
* Sanitizes user input to prevent XSS and injection attacks
*
* @module utils/sanitizer
*/
/**
* Sanitize input string
* @param {string} input - Input string to sanitize
* @returns {string} Sanitized string
*/
function sanitizeInput(input) {
if (typeof input !== 'string') {
return input;
}
// Remove potentially dangerous HTML tags (script, iframe, etc.)
let sanitized = input.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
sanitized = sanitized.replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi, '');
sanitized = sanitized.replace(/<object\b[^<]*(?:(?!<\/object>)<[^<]*)*<\/object>/gi, '');
sanitized = sanitized.replace(/<embed\b[^>]*>/gi, '');
sanitized = sanitized.replace(/on\w+\s*=\s*["'][^"']*["']/gi, ''); // Remove event handlers
// Trim whitespace
sanitized = sanitized.trim();
return sanitized;
}
/**
* Sanitize HTML content (allows safe HTML tags)
* @param {string} html - HTML content to sanitize
* @returns {string} Sanitized HTML
*/
function sanitizeHTML(html) {
if (typeof html !== 'string') {
return html;
}
// Allow only safe HTML tags
const allowedTags = ['p', 'br', 'strong', 'em', 'u', 'a', 'ul', 'ol', 'li'];
const tagRegex = /<\/?([a-z][a-z0-9]*)\b[^>]*>/gi;
return html.replace(tagRegex, (match, tag) => {
if (allowedTags.includes(tag.toLowerCase())) {
return match;
}
return '';
});
}
/**
* Sanitize email address
* @param {string} email - Email to sanitize
* @returns {string} Sanitized email
*/
function sanitizeEmail(email) {
if (typeof email !== 'string') {
return email;
}
return email.toLowerCase().trim();
}
/**
* Sanitize phone number
* @param {string} phone - Phone number to sanitize
* @returns {string} Sanitized phone
*/
function sanitizePhone(phone) {
if (typeof phone !== 'string') {
return phone;
}
// Remove all non-numeric characters except +
return phone.replace(/[^\d+]/g, '');
}
/**
* Sanitize URL
* @param {string} url - URL to sanitize
* @returns {string} Sanitized URL
*/
function sanitizeURL(url) {
if (typeof url !== 'string') {
return url;
}
// Only allow http and https protocols
const urlPattern = /^https?:\/\//i;
if (!urlPattern.test(url)) {
return '';
}
return url.trim();
}
module.exports = {
sanitizeInput,
sanitizeHTML,
sanitizeEmail,
sanitizePhone,
sanitizeURL
};
|