Conversation
✅ Deploy Preview for webdevpathstage ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
@Satoshi-Sh Good call out. I went ahead and updated. |
mtkksk1780
left a comment
mtkksk1780
left a comment
There was a problem hiding this comment.
@shayla-develops-webs
Thanks for the thorough investigation and improvements! It must have taken quite a bit of time.
I have left one small suggestion, which I hope will be helpful for further updates.
| } | ||
|
|
||
| // Validate email format | ||
| const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/; |
There was a problem hiding this comment.
How about setting emailRegex in utils/config.js and importing it from there, since it’s used across multiple files below?
components/NewsletterSubscribe/NewsletterForm/index.js
pages/api/validateReCaptcha.js
There was a problem hiding this comment.
or something like zod? it works well with react hook forms
There was a problem hiding this comment.
@cherylli @mtkksk1780 I haven't worked with Zod before, but this is a great excuse to dive in! I'll look into it and see how it fits with the existing setup.
There was a problem hiding this comment.
have a look and see what you think. A proper email regex is very complicated, thats why I suggeest using existing validation packages like zod. Joi us another popular one
react hook forms + zod is super popular you should be able to find a lot of examples
4 participants
Have you updated the CHANGELOG.md file? If not, please do it.
Yes
What is this change?
Fixed security vulnerabilities related to user input handling across three files:
Were there any complications while making this change?
During local setup, the dev server would not start due to a TypeError: withPWA is not a function error in next.config.js. This was caused by a breaking change in the next-pwa package API. I fixed the import syntax to match the installed version before proceeding with the changes. No new dependencies were required for the actual security fixes.
How to replicate the issue?
On the current live site, go to the newsletter form and submit <script>alert('xss')</script> in the email field. It will pass through without any format validation
On the contact form, submit
"><img src=x onerror=alert(1)>in the name or message field. The input gets inserted directly into the outgoing email HTML template with no escaping, allowing injected HTML to render in the email client.If necessary, please describe how to test the new feature or fix.
On the newsletter form, submit <script>alert('xss')</script> in the email field. It should be rejected with an invalid email format error.
On the newsletter form, submit an empty field, notanemail, and a@b and all should be rejected with validation errors.
On the contact form, submit <script>alert('xss')</script> in the name or message field. No alert dialog should fire.
On the contact form, submit
"><img src=x onerror=alert(1)>in the name or message field. No HTML should render or execute.Submit valid inputs on both forms and they should pass validation and reach the API successfully.
When should this be merged?
after 3 approvals