Skip to content

feat: Add HTML sanitizer for XSS prevention #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
prosdev merged 4 commits into from
Dec 26, 2025
Merged

feat: Add HTML sanitizer for XSS prevention #26

prosdev merged 4 commits into from
Dec 26, 2025

Conversation

@prosdev
Copy link
Contributor

@prosdev prosdev commented Dec 26, 2025

Summary

Adds a lightweight HTML sanitizer to prevent XSS attacks in banner content (title and message fields).

Changes

  • Add HTML sanitizer utility (packages/plugins/src/utils/sanitize.ts)

    • Whitelist-based approach allowing safe tags: strong, em, a, br, span, b, i, p
    • Blocks dangerous tags: script, iframe, object, embed, form, img, style, link, meta, video, audio, svg
    • Strips event handlers (onclick, onerror, etc.)
    • Sanitizes URLs (blocks javascript:, data:, and other dangerous protocols)
    • Handles URL-encoded attacks

  • Integrate sanitizer into banner plugin

    • Sanitizes title and message fields before rendering
    • Uses innerHTML with sanitized content instead of textContent

  • Add comprehensive tests

    • 52 sanitizer unit tests covering XSS attack vectors
    • 5 banner plugin integration tests for HTML sanitization
    • All 200 tests passing

Security

Prevents common XSS attack vectors:

  • Script tag injection
  • Event handler injection
  • javascript: URL attacks
  • data: URL attacks
  • URL-encoded attacks
  • Dangerous tag injection (iframe, object, embed, etc.)

Testing

  • All existing tests pass
  • New sanitizer tests (52 tests)
  • Banner integration tests (5 tests)
  • Type checking passes
  • Linting passes

Related

Part of the banner content types fix branch.

@prosdev
fix: update BannerContent types and add CSS customization support
df273fc 
- Fix BannerContent type to include buttons array, position, className, style
- Make core import content types from plugins (single source of truth)
- Update banner plugin to use .xp-* CSS classes instead of inline styles
- Add className and style props for banner and buttons
- Provide minimal, functional default styles with dark mode support
- Add comprehensive tests for className and style customization
- Update tests to check CSS classes instead of inline styles
- Add customization documentation with three use cases (Tailwind, Design System, CSS Framework)
@prosdev
docs: update banner plugin README and examples with CSS customization
582e4ef 
- Add CSS customization section to plugins README
- Update banner examples page with className and style props
- Add customization examples for Tailwind and inline styles
- Remove emoji from banner example
- Link to full customization documentation
@prosdev
feat: add HTML sanitizer for XSS prevention
96e71d2 
- Add lightweight HTML sanitizer utility with whitelist-based approach
- Sanitize title and message fields in banner plugin
- Support safe HTML tags (strong, em, a, br, span, b, i, p)
- Block dangerous tags (script, iframe, object, embed, etc.)
- Block event handlers and javascript:/data: URLs
- Add comprehensive XSS prevention tests (52 tests)
- Add banner plugin integration tests for HTML sanitization

Prevents XSS attacks while allowing safe HTML formatting in banner content.
@prosdev
docs: update changeset with HTML sanitizer feature
e80ddaa
@prosdev prosdev merged commit e4e2504 into main Dec 26, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@prosdev