From bd0618f00e1c21cb606a9f1ee0533b43961200c3 Mon Sep 17 00:00:00 2001
From: anshul23102 <anshul23102@iiitd.ac.in>
Date: Thu, 4 Jun 2026 02:59:23 +0530
Subject: [PATCH] Add input sanitization to prevent injection and XSS attacks
 (Issue #700)

Sanitize username and email inputs in auth validator to remove potentially dangerous characters and injection patterns. This prevents malicious payloads from being stored in the database and protects against XSS and injection attacks.

Changes:
- Add sanitizeString function that removes HTML tags and script patterns
- Apply sanitization transform to username and email fields in schemas
- Remove dangerous characters like <>, quotes, semicolons
- Strip javascript: protocol and event handler patterns

Fixes #700
---
 backend/validators/authValidator.js | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/backend/validators/authValidator.js b/backend/validators/authValidator.js
index ab4dac07..fe4b5543 100644
--- a/backend/validators/authValidator.js
+++ b/backend/validators/authValidator.js
@@ -1,19 +1,27 @@
 const { z } = require("zod");
 
+const sanitizeString = (str) => {
+  return str
+    .trim()
+    .replace(/[<>\"'`;]/g, '')
+    .replace(/javascript:/gi, '')
+    .replace(/on\w+\s*=/gi, '');
+};
+
 const signupSchema = z.object({
     username: z.string()
         .trim()
+        .transform(sanitizeString)
         .min(3, "Username must be at least 3 characters long")
         .max(30, "Username must be at most 30 characters long")
-        .regex(/^[a-zA-Z0-9_]+$/, "Username can only contain letters, numbers, and underscores")
-        ,
-    
+        .regex(/^[a-zA-Z0-9_]+$/, "Username can only contain letters, numbers, and underscores"),
+
     email: z.string()
         .trim()
         .toLowerCase()
+        .transform(sanitizeString)
         .email("Invalid email address"),
 
-
     password: z.string()
         .min(8, "Password must be at least 8 characters long")
         .max(100, "Password must be at most 100 characters long")
@@ -28,6 +36,7 @@ const loginSchema = z.object({
     email: z.string()
         .trim()
         .toLowerCase()
+        .transform(sanitizeString)
         .email("Invalid email address"),
     password: z.string()
         .min(8, "Password must be at least 8 characters long")