refactor: extract reusable sanitizeInput util

expand sanitization matches

Author: wackerow

app/[locale]/enterprise/_components/ContactForm/index.tsx

@@ -9,6 +9,7 @@ import { Spinner } from "@/components/ui/spinner"
 import { Textarea } from "@/components/ui/textarea"
 
 import { cn } from "@/lib/utils/cn"
+import { sanitizeInput } from "@/lib/utils/sanitize"
 
 import { MAX_EMAIL_LENGTH, MAX_MESSAGE_LENGTH } from "../../constants"
 
@@ -79,15 +80,6 @@ const CONSUMER_DOMAINS = [
   "guerrillamail.com",
 ]
 
-const sanitizeInput = (input: string): string =>
-  input
-    .replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "")
-    .replace(/javascript:/gi, "")
-    .replace(/on\w+\s*=/gi, "")
-    .replace(/&lt;script/gi, "")
-    .replace(/&lt;\/script/gi, "")
-    .trim()
-
 const EnterpriseContactForm = ({ strings }: EnterpriseContactFormProps) => {
   const getCharacterCountClasses = (currentLength: number, maxLength: number) =>
     cn(

app/api/enterprise-contact/route.ts

@@ -1,6 +1,8 @@
 import { NextRequest, NextResponse } from "next/server"
 import { SendRawEmailCommand, SESClient } from "@aws-sdk/client-ses"
 
+import { sanitizeInput } from "@/lib/utils/sanitize"
+
 const ENTERPRISE_EMAIL = "[email protected]"
 const SES_FROM_EMAIL = "[email protected]"
 
@@ -13,16 +15,6 @@ const sesClient = new SESClient({
   },
 })
 
-function sanitizeInput(input: string): string {
-  return input
-    .replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "")
-    .replace(/javascript:/gi, "")
-    .replace(/on\w+\s*=/gi, "")
-    .replace(/&lt;script/gi, "")
-    .replace(/&lt;\/script/gi, "")
-    .trim()
-}
-
 function validateEmail(email: string): boolean {
   const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/
   return emailRegex.test(email)

src/lib/utils/sanitize.ts

@@ -0,0 +1,45 @@
+/**
+ * Lightweight sanitizer for user input to prevent XSS attacks
+ * Specifically designed for plain text content
+ *
+ * @param input - The string to sanitize
+ * @returns Sanitized string with dangerous content removed
+ */
+export function sanitizeInput(input: string): string {
+  return (
+    input
+      // Remove script tags (any variation)
+      .replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "")
+      .replace(
+        /&lt;script\b[^<]*(?:(?!&lt;\/script&gt;)[^<]*)*&lt;\/script&gt;/gi,
+        ""
+      )
+
+      // Remove iframe tags
+      .replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi, "")
+      .replace(
+        /&lt;iframe\b[^<]*(?:(?!&lt;\/iframe&gt;)[^<]*)*&lt;\/iframe&gt;/gi,
+        ""
+      )
+
+      // Remove object and embed tags
+      .replace(/<object\b[^<]*(?:(?!<\/object>)<[^<]*)*<\/object>/gi, "")
+      .replace(/<embed\b[^<]*(?:(?!\/>)[^<]*)*\/?>/gi, "")
+
+      // Remove javascript: protocols
+      .replace(/javascript:/gi, "")
+      .replace(/vbscript:/gi, "")
+      .replace(/data:/gi, "")
+
+      // Remove event handlers
+      .replace(/on\w+\s*=/gi, "")
+
+      // Remove any remaining HTML-like tags (aggressive cleanup for plain text)
+      .replace(/<[^>]*>/g, "")
+      .replace(/&lt;[^&]*&gt;/g, "")
+
+      // Clean up whitespace
+      .trim()
+      .replace(/\s+/g, " ")
+  )
+}