fix(editor): Validate user info before submiting (#7608)

Validate first and last names before saving them to database. This should prevent security issue with un-sanitized data that ends up in emails. --------- Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in>
2025-12-17 18:12:04 +00:00 · 2023-11-22 12:14:44 +01:00
parent 9b4856e7de
commit 2064f7f251
4 changed files with 97 additions and 1 deletions
--- a/packages/cli/test/unit/databases/utils/customValidators.test.ts
+++ b/packages/cli/test/unit/databases/utils/customValidators.test.ts
@@ -0,0 +1,43 @@
+import { NoXss } from '@db/utils/customValidators';
+import { validate } from 'class-validator';
+
+describe('customValidators', () => {
+	describe('NoXss', () => {
+		class Person {
+			@NoXss()
+			name: string;
+		}
+		const person = new Person();
+
+		const invalidNames = ['http://google.com', '<script src/>', 'www.domain.tld'];
+
+		const validNames = [
+			'Johann Strauß',
+			'Вагиф Сәмәдоғлу',
+			'René Magritte',
+			'সুকুমার রায়',
+			'མགོན་པོ་རྡོ་རྗེ།',
+			'عبدالحليم حافظ',
+		];
+
+		describe('Block XSS', () => {
+			for (const name of invalidNames) {
+				test(name, async () => {
+					person.name = name;
+					const validationErrors = await validate(person);
+					expect(validationErrors[0].property).toEqual('name');
+					expect(validationErrors[0].constraints).toEqual({ NoXss: 'Malicious name' });
+				});
+			}
+		});
+
+		describe('Allow Valid names', () => {
+			for (const name of validNames) {
+				test(name, async () => {
+					person.name = name;
+					expect(await validate(person)).toBeEmptyArray();
+				});
+			}
+		});
+	});
+});