Skip to content

feat: xss protection middleware #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
EightRice merged 8 commits into from
Mar 26, 2025
Merged

feat: xss protection middleware #32

EightRice merged 8 commits into from
Mar 26, 2025

Conversation

@ashutoshpw
Copy link
Contributor

@ashutoshpw ashutoshpw commented Mar 4, 2025

Enhanced XSS Protection Middleware

This PR implements a comprehensive security middleware that protects our application against various Cross-Site Scripting (XSS) attack vectors. The solution provides robust input validation and sanitization while preserving legitimate content from WYSIWYG editors.

Key Features

Multi-layered Defense Approach

The middleware implements a multi-layered security approach that:

  • Sanitizes request body, query parameters, and URL parameters
  • Handles nested objects and arrays recursively
  • Prevents circular reference issues
  • Applies specialized cleaning for style attributes
  • Forces all external links to open in new tabs with proper security attributes

DOMPurify Integration

The core sanitization engine leverages DOMPurify, configured with:

  • Whitelisted HTML tags common in WYSIWYG content
  • Restricted dangerous elements (script, iframe, form, etc.)
  • Blocked event handlers (onclick, onload, etc.)
  • Custom hooks for enhanced security

Style Attribute Protection

The middleware includes specialized protection against CSS-based attacks:

  • Removes positioning styles (position:absolute, position:fixed, position:relative)
  • Prevents CSS expressions and JavaScript execution via style attributes
  • Blocks dangerous url() values in CSS
  • Sanitizes HTML/scripts embedded within style attributes

URL Sanitization

Comprehensive URL protection to prevent JavaScript injection:

  • Blocks harmful URI schemes (javascript:, data:, vbscript:, file:)
  • Secures href and src attributes
  • Ensures all anchor links open in new tabs with rel="nofollow noopener noreferrer"

Recursive Object Sanitization

The middleware implements a recursive approach to sanitize complex nested data structures:

  • Processes all object properties including nested objects and arrays
  • Preserves non-string primitives
  • Handles circular references gracefully
  • Applies specialized treatment for style-related properties

CSS Expression Protection:

Implemented via uponSanitizeAttribute hook

  • Prevents CSS expressions, harmful url() values, and embedded scripts

Enhanced Style Protection

The middleware includes a specialized function to handle CSS-based attacks. This function provides a three-stage cleaning process:

  1. Removes embedded script tags and HTML
  2. Splits by semicolons to isolate individual style declarations
  3. Filters out positioning-related styles

Recursive Object Sanitization

The middleware implements a depth-first traversal of complex objects.

Security Benefits

This implementation addresses multiple XSS attack vectors:

  • Classic XSS Injection: Strips script tags and event handlers
  • DOM-based XSS: Removes JavaScript URLs and sanitizes attributes
  • CSS-based Attacks: Prevents CSS expressions and positioning exploits
  • SVG-based XSS: Sanitizes SVG content and its event handlers
  • HTML5 Vector Attacks: Handles modern attack patterns
  • Encoded/Obfuscated Attacks: Normalizes and sanitizes encoded content
  • URL-based Injection: Blocks data URIs and JavaScript protocols

Comprehensive Testing

The middleware includes an extensive test suite with 41 test cases covering:

  • Basic Functionality: Validates core sanitization capabilities
  • XSS Attack Prevention: Tests against common and advanced XSS patterns
  • Position Style Handling: Ensures proper removal of dangerous styles
  • WYSIWYG Content Support: Preserves legitimate rich content
  • Error Handling: Gracefully manages edge cases
  • Complex Data Structures: Tests with nested objects and arrays
  • Edge Cases: Handles special characters and malformed HTML
  • Advanced Attack Vectors: Tests against sophisticated evasion techniques
  • Performance Edge Cases: Validates behavior with large/complex inputs
  • Link Handling: Ensures secure anchor tag processing

Performance Considerations

  • Optimized DOM Operations: Minimizes unnecessary DOM manipulations
  • Efficient Style Processing: Uses string operations before DOM parsing
  • Circular Reference Detection: Prevents infinite recursion
  • Scoped Configuration: Applies appropriate rules based on context

Conclusion

This middleware provides robust XSS protection while balancing security and functionality. It sanitizes user input across the application while preserving legitimate content from WYSIWYG editors. The implementation handles modern attack vectors, complex nested structures, and preserves the UX by forcing links to open in new tabs with proper security attributes.

The comprehensive test suite ensures the middleware's effectiveness against a wide range of attack patterns while maintaining backward compatibility with existing functionality.

@ashutoshpw ashutoshpw marked this pull request as ready for review March 6, 2025 14:50
@ashutoshpw ashutoshpw requested a review from Man-Jain March 25, 2025 05:09
@EightRice EightRice self-requested a review March 25, 2025 09:04
@EightRice EightRice merged commit 43f8c5b into main Mar 26, 2025
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EightRice EightRice EightRice approved these changes

@Man-Jain Man-Jain Awaiting requested review from Man-Jain

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ashutoshpw @EightRice @ashutoshw3