Add nonce sanitization to prevent XSS attacks

justin808 · claude · justin808 · commit 8e8d3bd18f4c · 2025-11-19T18:59:00.000-10:00
Security improvements: - Sanitize nonce values to prevent attribute injection attacks - Only allow base64-safe characters: alphanumeric, +, /, =, -, _ - Add test to verify malicious nonce values are sanitized - Document the security measure in code comments Even though Rails content_security_policy_nonce() returns safe values, this adds defense-in-depth by sanitizing at the JavaScript layer. All tests passing (101 passed). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/packages/react-on-rails/src/RenderUtils.ts b/packages/react-on-rails/src/RenderUtils.ts
@@ -4,7 +4,10 @@ export function wrapInScriptTags(scriptId: string, scriptBody: string, nonce?: s
     return '';
   }
 
-  const nonceAttr = nonce ? ` nonce="${nonce}"` : '';
+  // Sanitize nonce to prevent attribute injection attacks
+  // CSP nonces should be base64 strings, so only allow alphanumeric, +, /, =, -, and _
+  const sanitizedNonce = nonce?.replace(/[^a-zA-Z0-9+/=_-]/g, '');
+  const nonceAttr = sanitizedNonce ? ` nonce="${sanitizedNonce}"` : '';
 
   return `
 <script id="${scriptId}"${nonceAttr}>
diff --git a/packages/react-on-rails/tests/buildConsoleReplay.test.js b/packages/react-on-rails/tests/buildConsoleReplay.test.js
@@ -107,4 +107,20 @@ console.warn.apply(console, ["other message","{\\"c\\":3,\\"d\\":4}"]);
     expect(actual).toContain('console.log.apply(console, ["message 1"]);');
     expect(actual).toContain('console.error.apply(console, ["message 2"]);');
   });
+
+  it('buildConsoleReplay sanitizes nonce to prevent XSS', () => {
+    console.history = [{ arguments: ['test'], level: 'log' }];
+    // Attempt attribute injection attack
+    const maliciousNonce = 'abc123" onload="alert(1)';
+    const actual = buildConsoleReplay(undefined, 0, maliciousNonce);
+
+    // Should strip dangerous characters (quotes, parens, spaces)
+    // = is kept as it's valid in base64, but the quotes are stripped making it harmless
+    expect(actual).toContain('nonce="abc123onload=alert1"');
+    // Should NOT contain quotes that would close the attribute
+    expect(actual).not.toContain('nonce="abc123"');
+    expect(actual).not.toContain('alert(1)');
+    // Verify the dangerous parts (quotes and parens) are removed
+    expect(actual).not.toMatch(/nonce="[^"]*"[^>]*onload=/);
+  });
 });
