Skip to content

fix: add XSS sanitization and URL validation for chat widget#30

Merged
PAMulligan merged 1 commit intomainfrom
12-xss-sanitization-and-input-validation
Mar 30, 2026
Merged

fix: add XSS sanitization and URL validation for chat widget#30
PAMulligan merged 1 commit intomainfrom
12-xss-sanitization-and-input-validation

Conversation

@PAMulligan
Copy link
Copy Markdown
Contributor

@PAMulligan PAMulligan commented Mar 30, 2026

Summary

  • Add sanitize.ts utility with sanitizeUrl(), isUrlSafe(), and message validation functions
  • Update ChatMessage to validate URL schemes before rendering links (blocks javascript:, data:, vbscript:)
  • Update ChatSources to filter out sources with malicious URLs
  • Add comprehensive XSS prevention tests (30 new tests)

Test plan

  • All 135 widget tests pass
  • Verify links with https:// URLs render correctly as clickable links
  • Verify javascript:alert(1) URLs are rendered as plain text, not links
  • Verify malicious source URLs are filtered from the sources sidebar

🤖 Generated with Claude Code

@PAMulligan @claude
fix: add XSS sanitization and URL validation for chat widget
f024064 
- Add sanitize.ts utility with sanitizeUrl(), isUrlSafe(), and message validation functions
- Update ChatMessage to validate URL schemes before rendering links (blocks javascript:, data:, vbscript:)
- Update ChatSources to filter out sources with malicious URLs
- Add comprehensive XSS prevention tests for sanitization utilities and components

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@PAMulligan PAMulligan linked an issue Mar 30, 2026 that may be closed by this pull request
XSS sanitization and input validation #12
Closed
@PAMulligan PAMulligan self-assigned this Mar 30, 2026
@PAMulligan PAMulligan added enhancement New feature or request backend Cloudflare Workers API and AI integration security Security hardening and auditing labels Mar 30, 2026
@PAMulligan PAMulligan moved this from Todo to Done in PMDS Open Source Roadmap Mar 30, 2026
@PAMulligan PAMulligan added this to the v1.1.0 milestone Mar 30, 2026
@PAMulligan PAMulligan merged commit 538fad5 into main Mar 30, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@PAMulligan PAMulligan

Labels

backend Cloudflare Workers API and AI integration enhancement New feature or request security Security hardening and auditing

Projects

PMDS Open Source Roadmap
Status: Done

Milestone

v1.1.0

Development

Successfully merging this pull request may close these issues.

XSS sanitization and input validation

1 participant

@PAMulligan