[Security] Add input sanitization and HTML escaping to search/form components for XSS prevention #1047
Description
Description
The website handles user inputs (e.g., in search for network data like ASNs/IPs) and renders API responses, but there's no explicit input sanitization or escaping mentioned in docs/code. This could expose risks like XSS if malicious input is injected/rendered. As a monitoring tool for critical infrastructure, prioritizing secure coding aligns with OWASP standards.
Proposed Changes
- Scan src/ components (e.g., search bars, forms) for user inputs and API data rendering.
- Implement sanitization: Use DOMPurify (add as dep if needed) or Vue's v-html with filters to escape HTML/JS.
- Add validation: Trim/escape inputs before API calls (e.g., in methods/fetch hooks).
- Update any reactive bindings to use safe rendering (e.g., {{ escapedValue }} via computed props).
- Test manually for XSS (e.g., inject <script>alert(1)</script>) and add basic unit tests if framework allows (e.g., Vitest).
- Ensure compatibility with Vite build (vite.config.js).
References
- OWASP XSS Prevention: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
- Vue security best practices: https://vuejs.org/guide/best-practices/security.html
- Recent release (v1.8.1) could integrate this for production safety.
This is a focused JS/Vue coding task drawing on my OWASP experience happy to implement via PR if assigned!