feat(backend): implement sanitization utilities for XSS prevention

chore(backend): update dependencies for security and performance
refactor(backend): replace DOMPurify with sanitize-html for sanitization
test(backend): add unit tests for sanitization utilities
fix(backend): update OAuth state cookie format in tests

Author: Lasim

package-lock.json

@@ -26,7 +26,7 @@
   },
   "devDependencies": {
     "markdownlint-cli2": "^0.20.0",
-    "webpack": "^5.102.1"
+    "webpack": "^5.104.1"
   },
   "overrides": {
     "glob": "^10.4.5",

package.json

@@ -38,7 +38,6 @@
     "drizzle-orm": "^0.45.1",
     "fastify": "^5.6.2",
     "fastify-favicon": "^5.0.0",
-    "isomorphic-dompurify": "^2.35.0",
     "lucia": "^3.2.2",
     "nanoid": "^5.1.6",
     "node-cron": "^4.2.1",
@@ -60,6 +59,7 @@
     "@types/nodemailer": "^7.0.3",
     "@types/pg": "^8.16.0",
     "@types/pug": "^2.0.10",
+    "@types/sanitize-html": "^2.16.0",
     "@types/supertest": "^6.0.3",
     "@typescript-eslint/eslint-plugin": "^8.49.0",
     "@typescript-eslint/parser": "^8.52.0",
@@ -73,6 +73,7 @@
     "node-loader": "^2.1.0",
     "nodemon": "^3.1.11",
     "release-it": "^19.2.3",
+    "sanitize-html": "^2.17.0",
     "supertest": "^7.1.4",
     "ts-jest": "^29.4.6",
     "ts-loader": "^9.5.4",

services/backend/package.json

@@ -6,6 +6,7 @@ import { encrypt, decrypt } from '../../../utils/encryption';
 import { GlobalSettingsInitService } from '../../../global-settings';
 import { GlobalSettings } from '../../../global-settings';
 import { nanoid } from 'nanoid';
+import { sanitizeText } from '../../../utils/sanitization';
 import {
 	OAUTH_CALLBACK_QUERY_SCHEMA,
 	FLOW_ID_PARAM_SCHEMA,
@@ -70,15 +71,15 @@ export default async function oauthCallbackRoute(server: FastifyInstance) {
 						</head>
 						<body>
 							<h1>Authorization Failed</h1>
-							<p><strong>Error:</strong> ${escapeHtml(query.error)}</p>
-							${query.error_description ? `<p>${escapeHtml(query.error_description)}</p>` : ''}
+							<p><strong>Error:</strong> ${sanitizeText(query.error)}</p>
+							${query.error_description ? `<p>${sanitizeText(query.error_description)}</p>` : ''}
 							<p>Closing window...</p>
 							<script>
 								// Post error message to parent window
 								if (window.opener) {
 									window.opener.postMessage({
 										type: 'oauth_error',
-										error: '${escapeHtml(errorMsg)}'
+										error: '${sanitizeText(errorMsg)}'
 									}, '${frontendUrl}');
 								}
 
@@ -589,7 +590,7 @@ export default async function oauthCallbackRoute(server: FastifyInstance) {
 								if (window.opener) {
 									window.opener.postMessage({
 										type: 'oauth_error',
-										error: '${escapeHtml(errorMessage)}'
+										error: '${sanitizeText(errorMessage)}'
 									}, '${frontendUrl}');
 								}
 
@@ -604,18 +605,4 @@ export default async function oauthCallbackRoute(server: FastifyInstance) {
 			}
 		}
 	);
-}
-
-/**
- * Escape HTML to prevent XSS
- */
-function escapeHtml(text: string): string {
-	const map: Record<string, string> = {
-		'&': '&amp;',
-		'<': '&lt;',
-		'>': '&gt;',
-		'"': '&quot;',
-		"'": '&#039;',
-	};
-	return text.replace(/[&<>"']/g, (m) => map[m]);
-}
+}

services/backend/src/routes/mcp/installations/callback.ts

@@ -1,7 +1,7 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 import { GlobalSettings } from '../global-settings';
 import type { FastifyBaseLogger } from 'fastify';
-import DOMPurify from 'isomorphic-dompurify';
+import { sanitizeMarkdown } from '../utils/sanitization';
 
 export interface GitHubReadmeResult {
   content: string;
@@ -11,52 +11,6 @@ export interface GitHubReadmeResult {
 // Maximum README size: 2MB (prevents DoS attacks)
 const MAX_README_SIZE_BYTES = 2 * 1024 * 1024;
 
-// DOMPurify configuration optimized for GitHub Markdown
-const SANITIZE_CONFIG = {
-  // Allow common markdown/HTML tags
-  ALLOWED_TAGS: [
-    // Text formatting
-    'p', 'br', 'strong', 'em', 'u', 's', 'del', 'ins',
-    // Headings
-    'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
-    // Lists
-    'ul', 'ol', 'li', 'dl', 'dt', 'dd',
-    // Links and code
-    'a', 'code', 'pre', 'blockquote',
-    // Images
-    'img', 'picture', 'source',
-    // Tables
-    'table', 'thead', 'tbody', 'tfoot', 'tr', 'td', 'th',
-    // Containers
-    'div', 'span', 'section', 'article',
-    // GitHub-specific
-    'details', 'summary',
-    // Other
-    'hr', 'sup', 'sub'
-  ],
-  
-  // Allow safe attributes
-  ALLOWED_ATTR: [
-    'href', 'src', 'alt', 'title', 'class', 'id',
-    'width', 'height', 'align', 
-    'colspan', 'rowspan',
-    'type', 'start', 'reversed',
-    'open' // for <details> tag
-  ],
-  
-  // Only allow safe URL protocols (prevents javascript: attacks)
-  ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i,
-  
-  // Keep content of removed tags (don't lose text)
-  KEEP_CONTENT: true,
-  
-  // Security settings
-  ALLOW_DATA_ATTR: false, // No data-* attributes
-  ALLOW_UNKNOWN_PROTOCOLS: false, // Block unknown protocols
-  SANITIZE_DOM: true, // Enable DOM Clobbering protection
-  FORCE_BODY: false, // Don't force body wrapper
-};
-
 export class GitHubReadmeService {
 
   /**
@@ -351,43 +305,39 @@ export class GitHubReadmeService {
         repo,
         original_size: decodedContent.length
       }, 'Starting README sanitization');
-      
-      const sanitizedContent = DOMPurify.sanitize(decodedContent, SANITIZE_CONFIG);
-      
-      // Calculate how much content was removed
-      const removalBytes = decodedContent.length - sanitizedContent.length;
-      const removalPercentage = ((removalBytes / decodedContent.length) * 100);
-      
+
+      const sanitizationResult = sanitizeMarkdown(decodedContent);
+
       // Log warning if significant content was removed (possible malicious content)
-      if (removalPercentage > 10) {
+      if (sanitizationResult.removalPercentage > 10) {
         logger.warn({
           operation: 'github_readme_get_content',
           step: 'high_sanitization_removal',
           owner,
           repo,
-          removal_percentage: removalPercentage.toFixed(2),
-          removal_bytes: removalBytes,
+          removal_percentage: sanitizationResult.removalPercentage.toFixed(2),
+          removal_bytes: sanitizationResult.removalBytes,
           repository_url: repositoryUrl
-        }, `High sanitization removal rate detected: ${removalPercentage.toFixed(2)}% of content removed`);
+        }, `High sanitization removal rate detected: ${sanitizationResult.removalPercentage.toFixed(2)}% of content removed`);
       }
-      
+
       const duration = Date.now() - startTime;
-      
+
       logger.debug({
         operation: 'github_readme_get_content',
         step: 'complete',
         owner,
         repo,
-        original_size: decodedContent.length,
-        sanitized_size: sanitizedContent.length,
-        removal_bytes: removalBytes,
-        removal_percentage: removalPercentage.toFixed(2),
+        original_size: sanitizationResult.originalLength,
+        sanitized_size: sanitizationResult.sanitizedLength,
+        removal_bytes: sanitizationResult.removalBytes,
+        removal_percentage: sanitizationResult.removalPercentage.toFixed(2),
         duration_ms: duration,
         readme_name: data.name
       }, `Successfully fetched and sanitized README for ${owner}/${repo}`);
-      
+
       return {
-        content: sanitizedContent,
+        content: sanitizationResult.content,
         encoding: 'utf8'
       };
 

services/backend/src/services/githubReadmeService.ts

@@ -1,59 +1,23 @@
-import DOMPurify from 'isomorphic-dompurify';
-
-/**
- * DOMPurify configuration for email text sanitization
- * - Only allows <br> tags (for newline preservation)
- * - Strips all other HTML and attributes
- * - Enables DOM sanitization for additional security
- */
-const EMAIL_TEXT_SANITIZE_CONFIG = {
-  ALLOWED_TAGS: ['br'],
-  ALLOWED_ATTR: [],
-  KEEP_CONTENT: true,
-  ALLOW_DATA_ATTR: false,
-  ALLOW_UNKNOWN_PROTOCOLS: false,
-  SANITIZE_DOM: true,
-  FORCE_BODY: false
-};
-
-/**
- * Escape HTML entities to prevent XSS attacks
- *
- * This function converts potentially dangerous HTML characters into their
- * HTML entity equivalents, making them display as literal text rather than
- * being interpreted as HTML.
- *
- * @param text - Raw text that may contain HTML characters
- * @returns Text with HTML entities escaped
- *
- * @example
- * escapeHtml('<script>alert("xss")</script>')
- * // Returns: '&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;'
- */
-function escapeHtml(text: string): string {
-  return text
-    .replace(/&/g, '&amp;')   // Must be first to avoid double-escaping
-    .replace(/</g, '&lt;')
-    .replace(/>/g, '&gt;')
-    .replace(/"/g, '&quot;')
-    .replace(/'/g, '&#39;');
-}
+import { sanitizeForEmail } from './sanitization';
 
 /**
  * Sanitize user-provided text for safe email rendering
  *
+ * This is a wrapper around the centralized sanitizeForEmail() function.
+ * Kept for backwards compatibility with existing imports.
+ *
  * This function implements a defense-in-depth approach to prevent XSS attacks
  * while preserving newlines for better email formatting:
  *
  * 1. Normalizes line endings (Windows \r\n → Unix \n)
  * 2. Trims leading/trailing whitespace
  * 3. Escapes HTML entities (prevents XSS)
  * 4. Converts newlines to <br> tags (preserves formatting)
- * 5. Sanitizes with DOMPurify (additional security layer)
+ * 5. Sanitizes with sanitize-html (additional security layer)
  *
  * **Security Features**:
  * - Primary defense: HTML entity escaping prevents all XSS vectors
- * - Secondary defense: DOMPurify catches any escaping bugs
+ * - Secondary defense: sanitize-html catches any escaping bugs
  * - Preserves user intent: Users can type HTML-like text (e.g., "The <button> component")
  *   and it displays literally, not stripped
  *
@@ -65,6 +29,8 @@ function escapeHtml(text: string): string {
  * @param text - Raw user input from textarea (may contain newlines, HTML, etc.)
  * @returns Sanitized HTML string with <br> tags, safe for email rendering
  *
+ * @see sanitization.ts for implementation details
+ *
  * @example
  * sanitizeUserTextForEmail('Hello\nWorld')
  * // Returns: 'Hello<br>World'
@@ -78,28 +44,5 @@ function escapeHtml(text: string): string {
  * // Returns: 'The &lt;div&gt; tag<br>is broken'
  */
 export function sanitizeUserTextForEmail(text: string): string {
-  if (!text) return '';
-
-  // 1. Normalize line endings (Windows \r\n → Unix \n)
-  let sanitized = text.replace(/\r\n/g, '\n');
-
-  // 2. Trim leading/trailing whitespace
-  sanitized = sanitized.trim();
-
-  // Return empty string if only whitespace
-  if (!sanitized) return '';
-
-  // 3. Escape HTML entities (CRITICAL: do this BEFORE adding <br> tags)
-  //    This ensures user-typed HTML displays as literal text
-  sanitized = escapeHtml(sanitized);
-
-  // 4. Convert newlines to <br> tags for email rendering
-  //    After escaping, we can safely add our trusted <br> tags
-  sanitized = sanitized.replace(/\n/g, '<br>');
-
-  // 5. Sanitize with DOMPurify as defense-in-depth
-  //    This catches any potential bugs in our escaping logic
-  sanitized = DOMPurify.sanitize(sanitized, EMAIL_TEXT_SANITIZE_CONFIG);
-
-  return sanitized;
+  return sanitizeForEmail(text);
 }