feat: sanitise form fields (#1623)

* sanitise form fields

* rm package lock

* replace lockfile

* lint

* run tests

* tweaks

* fix test

* fix video test

Author: annarhughes

.github/workflows/cypress-release-test.yml

@@ -2,7 +2,7 @@ name: Cypress release tests
 
 on:
   push:
-    branches: [develop, dependabot/**, '*test*']
+    branches: [develop, dependabot/**, '*test*', 'sanitize-form-fields']
 
 jobs:
   # vercel will redeploy the develop/staging app on creating a PR to main

components/common/SanitizedTextField.tsx

@@ -0,0 +1,112 @@
+'use client';
+
+import { Box, TextField, TextFieldProps, Typography } from '@mui/material';
+import DOMPurify from 'dompurify';
+import { useTranslations } from 'next-intl';
+import { useMemo } from 'react';
+
+// Field validation rules based on backend DTOs
+const FIELD_VALIDATION_RULES = {
+  name: { maxLength: 50 },
+  email: { maxLength: 255 },
+  password: { maxLength: 128 },
+  partnerAccessCode: { maxLength: 6 },
+  mfaVerificationCode: { maxLength: 6 },
+  accessCode: { maxLength: 6 },
+  partnerId: { maxLength: 36 },
+  signUpLanguage: { maxLength: 10 },
+  feedbackDescription: { maxLength: 5000 },
+  hopes: { maxLength: 5000 },
+  raceEthnNatn: { maxLength: 500 },
+  resourceId: { maxLength: 36 },
+  sessionId: { maxLength: 36 },
+  default: { maxLength: 500 },
+} as const;
+
+interface SanitizedTextFieldProps extends Omit<
+  TextFieldProps,
+  'onChange' | 'inputProps' | 'value' | 'defaultValue'
+> {
+  onChange?: (value: string) => void;
+  allowedTags?: string[];
+  allowedAttributes?: string[];
+  maxLength?: number;
+  showCharacterCount?: boolean;
+  inputProps?: TextFieldProps['inputProps'];
+  value?: string | null;
+  defaultValue?: string | null;
+}
+
+const SanitizedTextField = ({
+  onChange,
+  allowedTags = [],
+  allowedAttributes = [],
+  maxLength,
+  showCharacterCount = false,
+  id,
+  value,
+  defaultValue,
+  inputProps,
+  ...restProps
+}: SanitizedTextFieldProps) => {
+  const t = useTranslations('Shared');
+  const fieldMaxLength = useMemo(() => {
+    if (maxLength) return maxLength;
+    if (id && id in FIELD_VALIDATION_RULES) {
+      return FIELD_VALIDATION_RULES[id as keyof typeof FIELD_VALIDATION_RULES].maxLength;
+    }
+    return FIELD_VALIDATION_RULES.default.maxLength;
+  }, [maxLength, id]);
+
+  const purifyConfig = useMemo(
+    () => ({
+      ALLOWED_TAGS: allowedTags,
+      ALLOWED_ATTR: allowedAttributes,
+      KEEP_CONTENT: false,
+    }),
+    [allowedTags, allowedAttributes],
+  );
+
+  const handleChange = (e: React.ChangeEvent<HTMLInputElement | HTMLTextAreaElement>) => {
+    const inputValue =
+      e.target.value.length > fieldMaxLength
+        ? e.target.value.substring(0, fieldMaxLength)
+        : e.target.value;
+
+    const sanitized = DOMPurify.sanitize(inputValue, purifyConfig);
+    onChange?.(sanitized);
+  };
+
+  const effectiveValue = value ?? defaultValue ?? '';
+  const currentLength = effectiveValue.toString().length;
+  const shouldShowCounter =
+    showCharacterCount || (restProps.multiline && currentLength > fieldMaxLength * 0.8);
+
+  const textFieldProps = {
+    ...restProps,
+    id,
+    onChange: handleChange,
+    inputProps: { maxLength: fieldMaxLength, ...inputProps },
+    ...(value !== undefined ? { value } : { defaultValue }),
+  };
+
+  const characterCountStyle = {
+    display: 'block',
+    textAlign: 'right',
+    mt: -2.475,
+    ...(currentLength > fieldMaxLength && { color: 'error.main' }),
+  };
+
+  return (
+    <Box mb={0}>
+      <TextField {...textFieldProps} />
+      {shouldShowCounter && (
+        <Typography variant="caption" sx={characterCountStyle}>
+          {t('characterCount', { current: currentLength, max: fieldMaxLength })}
+        </Typography>
+      )}
+    </Box>
+  );
+};
+
+export default SanitizedTextField;

components/forms/AboutYouDemographicForm.tsx

@@ -1,5 +1,6 @@
 'use client';
 
+import SanitizedTextField from '@/components/common/SanitizedTextField';
 import { usePathname, useRouter } from '@/i18n/routing';
 import countries from '@/lib/constants/countries';
 import { LANGUAGES } from '@/lib/constants/enums';
@@ -26,7 +27,6 @@ import {
   FormLabel,
   Radio,
   RadioGroup,
-  TextField,
   Typography,
 } from '@mui/material';
 import { useRollbar } from '@rollbar/react';
@@ -207,7 +207,7 @@ const AboutYouDemographicForm = () => {
             }
             fullWidth
             renderInput={(params) => (
-              <TextField
+              <SanitizedTextField
                 {...params}
                 InputLabelProps={{ shrink: true }}
                 sx={staticFieldLabelStyle}
@@ -330,7 +330,7 @@ const AboutYouDemographicForm = () => {
               label={t('neurodivergentLabels.4')}
             />
           </Box>
-          <FormHelperText sx={{ m: 0, mt: '0 !important' }}>
+          <FormHelperText sx={{ m: 0, mt: '0.5rem !important' }}>
             {t('neurodivergentHelpText')}
           </FormHelperText>
         </FormControl>
@@ -339,9 +339,9 @@ const AboutYouDemographicForm = () => {
           <FormLabel component="legend" sx={{ mb: 2 }}>
             {t.rich('raceEthnNatnLabel')}
           </FormLabel>
-          <TextField
+          <SanitizedTextField
             id="raceEthnNatn"
-            onChange={(e) => setRaceEthnNatn(e.target.value)}
+            onChange={setRaceEthnNatn}
             value={raceEthnNatn}
             variant="standard"
             fullWidth
@@ -374,7 +374,7 @@ const AboutYouDemographicForm = () => {
             }}
             popupIcon={<KeyboardArrowDown />}
             renderInput={(params) => (
-              <TextField
+              <SanitizedTextField
                 {...params}
                 required
                 variant="standard"

components/forms/AboutYouSetAForm.tsx

@@ -1,5 +1,6 @@
 'use client';
 
+import SanitizedTextField from '@/components/common/SanitizedTextField';
 import { usePathname, useRouter } from '@/i18n/routing';
 import { useUpdateUserMutation } from '@/lib/api';
 import { EMAIL_REMINDERS_FREQUENCY } from '@/lib/constants/enums';
@@ -19,7 +20,7 @@ import { ScaleFieldItem } from '@/lib/utils/interfaces';
 import logEvent from '@/lib/utils/logEvent';
 import { rowStyle, scaleTitleStyle, staticFieldLabelStyle } from '@/styles/common';
 import LoadingButton from '@mui/lab/LoadingButton';
-import { Box, FormControl, Slider, TextField, Typography } from '@mui/material';
+import { Box, FormControl, Slider, Typography } from '@mui/material';
 import { useRollbar } from '@rollbar/react';
 import axios from 'axios';
 import { useTranslations } from 'next-intl';
@@ -144,10 +145,10 @@ const AboutYouSetAForm = () => {
   return (
     <Box mt={3}>
       <form autoComplete="off" onSubmit={submitHandler}>
-        <TextField
+        <SanitizedTextField
           id="hopes"
           label={t.rich('hopesLabel')}
-          onChange={(e) => setHopesInput(e.target.value)}
+          onChange={setHopesInput}
           value={hopesInput}
           variant="standard"
           fullWidth

components/forms/ApplyCodeForm.tsx

@@ -1,5 +1,6 @@
 'use client';
 
+import SanitizedTextField from '@/components/common/SanitizedTextField';
 import { useAssignPartnerAccessMutation } from '@/lib/api';
 import { FEEDBACK_FORM_URL } from '@/lib/constants/common';
 import { PARTNER_ACCESS_CODE_STATUS } from '@/lib/constants/enums';
@@ -11,7 +12,7 @@ import {
 } from '@/lib/constants/events';
 import { PartnerAccess } from '@/lib/store/partnerAccessSlice';
 import LoadingButton from '@mui/lab/LoadingButton';
-import { Box, Link, List, ListItem, TextField, Typography } from '@mui/material';
+import { Box, Link, List, ListItem, Typography } from '@mui/material';
 import { useTranslations } from 'next-intl';
 import { useState } from 'react';
 
@@ -135,9 +136,9 @@ const ApplyCodeForm = () => {
       <Typography mb={2}>{t('formIntroduction')}</Typography>
 
       <form autoComplete="off" onSubmit={submitHandler}>
-        <TextField
+        <SanitizedTextField
           id="accessCode"
-          onChange={(e) => setCodeInput(e.target.value)}
+          onChange={setCodeInput}
           label={t.rich('form.codeLabel')}
           variant="standard"
           fullWidth

components/forms/BaseRegisterForm.tsx

@@ -116,7 +116,7 @@ export const useRegisterFormLogic = (redirectPath: string = defaultSignupRedirec
       } else if (errorMessage === CREATE_USER_INVALID_EMAIL) {
         setFormError(t('firebase.invalidEmail'));
       } else {
-        logEvent(REGISTER_ERROR, { message: errorMessage });
+        logEvent(REGISTER_ERROR, { message: String(errorMessage) });
         rollbar.error('User register create user error', error);
         setFormError(
           t.rich('createUserError', {

components/forms/CreatePartnerAdminForm.tsx

@@ -1,5 +1,6 @@
 'use client';
 
+import SanitizedTextField from '@/components/common/SanitizedTextField';
 import { useAddPartnerAdminMutation, useGetPartnersQuery } from '@/lib/api';
 import {
   CREATE_PARTNER_ADMIN_ERROR,
@@ -10,7 +11,7 @@ import { useTypedSelector } from '@/lib/hooks/store';
 import { getErrorMessage } from '@/lib/utils/errorMessage';
 import logEvent from '@/lib/utils/logEvent';
 import LoadingButton from '@mui/lab/LoadingButton';
-import { Box, Button, MenuItem, TextField, Typography } from '@mui/material';
+import { Box, Button, MenuItem, Typography } from '@mui/material';
 import { useRollbar } from '@rollbar/react';
 import { useTranslations } from 'next-intl';
 import * as React from 'react';
@@ -102,14 +103,14 @@ const CreatePartnerAdminForm = () => {
 
   return (
     <form autoComplete="off" onSubmit={submitHandler}>
-      <TextField
+      <SanitizedTextField
         id="selectPartner"
         name="selectPartner"
         key="select-partner"
         fullWidth
         select
         label={t('partnerNameLabel')}
-        onChange={(e) => setSelectedPartner(e.target.value)}
+        onChange={setSelectedPartner}
         variant="standard"
         required
         value={selectedPartner}
@@ -119,25 +120,25 @@ const CreatePartnerAdminForm = () => {
             {option.name}
           </MenuItem>
         ))}
-      </TextField>
+      </SanitizedTextField>
 
-      <TextField
+      <SanitizedTextField
         id="email"
         name="email"
         key="email-input"
-        onChange={(e) => setEmail(e.target.value)}
+        onChange={setEmail}
         label={t('emailAddressLabel')}
         variant="standard"
         type="email"
         fullWidth
         required
         value={email}
       />
-      <TextField
+      <SanitizedTextField
         id="name"
         name="name"
         key="name-input"
-        onChange={(e) => setName(e.target.value)}
+        onChange={setName}
         label={t('nameLabel')}
         variant="standard"
         type="text"

components/forms/EmailSettingsForm.tsx

@@ -25,13 +25,14 @@ const EmailSettingsForm = () => {
   const contactPermission = useTypedSelector((state) => state.user.contactPermission);
   const serviceEmailsPermission = useTypedSelector((state) => state.user.serviceEmailsPermission);
 
+  const [contactPermissionValue, setContactPermissionValue] = useState(contactPermission);
+  const [serviceEmailsPermissionValue, setServiceEmailsPermissionValue] =
+    useState(serviceEmailsPermission);
+
   const onSubmit = useCallback(
     async (ev: React.FormEvent<HTMLFormElement>) => {
-      const formData = new FormData(ev.currentTarget);
       ev.preventDefault();
 
-      const contactPermissionValue = formData.get('contactPermission') === 'on';
-      const serviceEmailsPermissionValue = formData.get('serviceEmailsPermission') === 'on';
       const payload = {
         contactPermission: contactPermissionValue,
         serviceEmailsPermission: serviceEmailsPermissionValue,
@@ -53,7 +54,7 @@ const EmailSettingsForm = () => {
         );
       }
     },
-    [updateUser, t],
+    [updateUser, t, contactPermissionValue, serviceEmailsPermissionValue],
   );
 
   return (
@@ -63,23 +64,27 @@ const EmailSettingsForm = () => {
           label={t('serviceEmailsPermissionLabel')}
           control={
             <Checkbox
-              name="serviceEmailsPermission"
+              checked={serviceEmailsPermissionValue}
+              onChange={(e) => {
+                setServiceEmailsPermissionValue(e.target.checked);
+                setIsSuccess(false);
+              }}
               aria-label={t('serviceEmailsPermissionLabel')}
-              defaultChecked={serviceEmailsPermission}
             />
           }
-          onInput={() => setIsSuccess(false)}
         />
         <FormControlLabel
           label={t('contactPermissionLabel')}
           control={
             <Checkbox
-              name="contactPermission"
+              checked={contactPermissionValue}
+              onChange={(e) => {
+                setContactPermissionValue(e.target.checked);
+                setIsSuccess(false);
+              }}
               aria-label={t('contactPermissionLabel')}
-              defaultChecked={contactPermission}
             />
           }
-          onInput={() => setIsSuccess(false)}
         />
         {error && <Typography color="error.main">{error}</Typography>}
       </FormControl>