Merge pull request #4371 from OneCommunityGlobal/DurgaVenkataPraveen-ImplementingXSSProtection

Durga venkata praveen implementing xss protection

Author: one-community

src/components/TeamMemberTasks/ReviewButton.jsx

@@ -14,6 +14,7 @@ import {
 } from 'reactstrap';
 import { useDispatch, useSelector } from 'react-redux';
 import { toast } from 'react-toastify';
+import dompurify from 'dompurify';
 import styles from './style.module.css';
 import style from './reviewButton.module.css';
 import { boxStyle, boxStyleDark } from '~/styles';
@@ -49,6 +50,33 @@ function ReviewButton({ user, task, updateTask }) {
     errorMessage: '',
   });
 
+  // XSS Protection sanitizer
+  const sanitizer = dompurify.sanitize;
+
+  // Utility function to sanitize URLs
+  const sanitizeUrl = url => {
+    if (!url) return '';
+    return sanitizer(url.trim(), { ALLOWED_TAGS: [], ALLOWED_ATTR: [] });
+  };
+
+  // Utility function to sanitize text content
+  const sanitizeText = text => {
+    if (!text) return '';
+    return sanitizer(text, { ALLOWED_TAGS: [], ALLOWED_ATTR: [] });
+  };
+
+  // Safe link handler to prevent XSS in href attributes
+  const handleSafeLink = url => {
+    // Sanitize the URL and validate it's safe to use as href
+    const sanitizedUrl = sanitizeUrl(url);
+    const validationResult = validateAllowedDomainTypes(sanitizedUrl);
+
+    if (validationResult.isValid && validURL(sanitizedUrl)) {
+      return sanitizedUrl;
+    }
+    return '#'; // Fallback to safe href
+  };
+
   const toggleModal = () => {
     setModal(!modal);
     if (!modal) {
@@ -78,7 +106,8 @@ function ReviewButton({ user, task, updateTask }) {
     if (!editLinkState.isOpen) {
       // When opening the modal, find the link associated with this user
       const userLink = task.relatedWorkLinks?.[task.relatedWorkLinks.length - 1] || '';
-      setEditLinkState(prev => ({ ...prev, link: userLink, error: null }));
+      const sanitizedUserLink = sanitizeUrl(userLink);
+      setEditLinkState(prev => ({ ...prev, link: sanitizedUserLink, error: null }));
     }
   };
 
@@ -129,17 +158,48 @@ function ReviewButton({ user, task, updateTask }) {
 
   const validURL = url => {
     try {
-      if (url === '') return false;
-
-      const pattern = /^(?=.{20,})(?:https?:\/\/)?[\w.-]+\.[a-zA-Z]{2,}(?:\/\S*)?$/;
-      return pattern.test(url);
+      if (!url || url.trim() === '') return false;
+
+      // Check minimum length requirement
+      if (url.length < 20) return false;
+
+      // Secure URL validation pattern that prevents catastrophic backtracking
+      // Split validation into parts to avoid nested quantifiers
+      const protocolPattern = /^https?:\/\//;
+      const domainPattern = /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}$/;
+      const pathPattern = /^[\/\w\-._~:?#[\]@!$&'()*+,;=%]*$/;
+
+      // If URL doesn't start with http/https, add https:// for validation
+      const urlToTest = url.startsWith('http') ? url : `https://${url}`;
+
+      // Test protocol
+      if (!protocolPattern.test(urlToTest)) return false;
+
+      // Extract domain and path parts
+      const urlWithoutProtocol = urlToTest.replace(protocolPattern, '');
+      const slashIndex = urlWithoutProtocol.indexOf('/');
+      const domain =
+        slashIndex === -1 ? urlWithoutProtocol : urlWithoutProtocol.substring(0, slashIndex);
+      const path = slashIndex === -1 ? '' : urlWithoutProtocol.substring(slashIndex);
+
+      // Validate domain and path separately
+      if (!domainPattern.test(domain)) return false;
+      if (path && !pathPattern.test(path)) return false;
+
+      // Additional validation using URL constructor
+      try {
+        new URL(urlToTest);
+        return true;
+      } catch (e) {
+        return false;
+      }
     } catch (err) {
       return false;
     }
   };
 
   const handleLink = e => {
-    const url = e.target.value.trim();
+    const url = sanitizeUrl(e.target.value);
     setLink(url);
     if (!url) {
       setEditLinkState(prev => ({ ...prev, error: 'A valid URL is required for review' }));
@@ -236,8 +296,12 @@ function ReviewButton({ user, task, updateTask }) {
     }
 
     if (newStatus === 'Submitted' && link) {
-      if (validURL(link)) {
-        updatedTask = { ...updatedTask, relatedWorkLinks: [...taskRelatedWorkLinks, link] };
+      const sanitizedLink = sanitizeUrl(link);
+      if (validURL(sanitizedLink)) {
+        updatedTask = {
+          ...updatedTask,
+          relatedWorkLinks: [...taskRelatedWorkLinks, sanitizedLink],
+        };
         setLink('');
       } else {
         setIsSubmitting(false);
@@ -252,15 +316,17 @@ function ReviewButton({ user, task, updateTask }) {
   const submitReviewRequest = event => {
     event.preventDefault();
 
-    if (!validURL(link)) {
+    const sanitizedLink = sanitizeUrl(link);
+    if (!validURL(sanitizedLink)) {
       setEditLinkState(prev => ({
         ...prev,
-        error: 'Please enter a valid URL of at least 20 characters',
+        error:
+          'Please enter a valid URL (must start with http:// or https:// and be at least 20 characters)',
       }));
       return;
     }
 
-    const validationResult = validateAllowedDomainTypes(link);
+    const validationResult = validateAllowedDomainTypes(sanitizedLink);
     if (!validationResult.isValid) {
       toggleInvalidDomainModal(validationResult.errorType);
       return;
@@ -271,10 +337,10 @@ function ReviewButton({ user, task, updateTask }) {
 
   const sendReviewReq = () => {
     const data = {};
-    data.myUserId = myUserId;
-    data.name = user.name;
-    data.taskName = task.taskName;
-    httpService.post(`${ApiEndpoint}/tasks/reviewreq/${myUserId}`, data);
+    data.myUserId = sanitizeText(myUserId);
+    data.name = sanitizeText(user.name);
+    data.taskName = sanitizeText(task.taskName);
+    httpService.post(`${ApiEndpoint}/tasks/reviewreq/${sanitizeText(myUserId)}`, data);
   };
 
   const handleFinalSubmit = () => {
@@ -286,23 +352,26 @@ function ReviewButton({ user, task, updateTask }) {
 
   const sendEditLinkNotification = () => {
     const data = {};
-    data.myUserId = myUserId;
-    data.name = user.name;
-    data.taskName = task.taskName;
+    data.myUserId = sanitizeText(myUserId);
+    data.name = sanitizeText(user.name);
+    data.taskName = sanitizeText(task.taskName);
     data.isLinkUpdate = true;
-    httpService.post(`${ApiEndpoint}/tasks/reviewreq/${myUserId}`, data);
+    httpService.post(`${ApiEndpoint}/tasks/reviewreq/${sanitizeText(myUserId)}`, data);
   };
 
   const handleEditLink = () => {
-    if (!validURL(editLinkState.link)) {
+    const sanitizedLink = sanitizeUrl(editLinkState.link);
+
+    if (!validURL(sanitizedLink)) {
       setEditLinkState(prev => ({
         ...prev,
-        error: 'Please enter a valid URL of at least 20 characters',
+        error:
+          'Please enter a valid URL (must start with http:// or https:// and be at least 20 characters)',
       }));
       return;
     }
 
-    const validationResult = validateAllowedDomainTypes(editLinkState.link);
+    const validationResult = validateAllowedDomainTypes(sanitizedLink);
     if (!validationResult.isValid) {
       toggleInvalidDomainModal(validationResult.errorType);
       return;
@@ -316,10 +385,10 @@ function ReviewButton({ user, task, updateTask }) {
 
     // If there are related work links, replace the last one (assuming it's the one for this user)
     if (Array.isArray(updatedTask.relatedWorkLinks) && updatedTask.relatedWorkLinks.length > 0) {
-      updatedTask.relatedWorkLinks[updatedTask.relatedWorkLinks.length - 1] = editLinkState.link;
+      updatedTask.relatedWorkLinks[updatedTask.relatedWorkLinks.length - 1] = sanitizedLink;
     } else {
       // If no related work links exist yet, add this one
-      updatedTask.relatedWorkLinks = [editLinkState.link];
+      updatedTask.relatedWorkLinks = [sanitizedLink];
     }
 
     // Call the update function from props
@@ -372,10 +441,11 @@ function ReviewButton({ user, task, updateTask }) {
   };
 
   const handleEditLinkChange = e => {
-    // Safely extract the value first
-    const newValue = e && e.target && e.target.value !== undefined ? e.target.value : '';
-    // Then use the extracted value in the state update
-    setEditLinkState(prev => ({ ...prev, link: newValue }));
+    // Safely extract and sanitize the value first
+    const rawValue = e && e.target && e.target.value !== undefined ? e.target.value : '';
+    const sanitizedValue = sanitizeUrl(rawValue);
+    // Then use the sanitized value in the state update
+    setEditLinkState(prev => ({ ...prev, link: sanitizedValue }));
   };
 
   const buttonFormat = () => {
@@ -427,8 +497,8 @@ function ReviewButton({ user, task, updateTask }) {
                 // eslint-disable-next-line no-shadow
                 task.relatedWorkLinks.map(link => (
                   <DropdownItem
-                    key={link}
-                    href={link}
+                    key={sanitizeText(link)}
+                    href={handleSafeLink(link)}
                     target="_blank"
                     className={`${darkMode ? 'text-light' : ''} ${style['dark-mode-btn']}`}
                   >
@@ -467,8 +537,8 @@ function ReviewButton({ user, task, updateTask }) {
               {task.relatedWorkLinks &&
                 task.relatedWorkLinks.map(dropLink => (
                   <DropdownItem
-                    key={dropLink}
-                    href={dropLink}
+                    key={sanitizeText(dropLink)}
+                    href={handleSafeLink(dropLink)}
                     target="_blank"
                     className={`${darkMode ? 'text-light' : ''} ${style['dark-mode-btn']}`}
                   >
@@ -477,7 +547,7 @@ function ReviewButton({ user, task, updateTask }) {
                 ))}
               <DropdownItem
                 onClick={toggleEditLinkModal}
-                className={darkMode ? 'text-light dark-mode-btn' : ''}
+                className={`${darkMode ? 'text-light' : ''} ${style['dark-mode-btn']}`}
               >
                 <FontAwesomeIcon icon={faPencilAlt} /> Edit Link
               </DropdownItem>
@@ -498,7 +568,7 @@ function ReviewButton({ user, task, updateTask }) {
                   setSelectedAction('More Work Needed');
                   toggleVerify();
                 }}
-                className={darkMode ? 'text-light dark-mode-btn' : ''}
+                className={`${darkMode ? 'text-light' : ''} ${style['dark-mode-btn']}`}
               >
                 More work needed, reset this button
               </DropdownItem>
@@ -564,9 +634,7 @@ function ReviewButton({ user, task, updateTask }) {
         <ModalBody className={darkMode ? 'bg-yinmn-blue' : ''}>
           You are about to submit the following link for review:
           <div className="mt-2" style={{ wordWrap: 'break-word', wordBreak: 'break-all' }}>
-            <a href={link} target="_blank" rel="noopener noreferrer">
-              {link}
-            </a>
+            <span>{sanitizeText(link)}</span>
           </div>
           Please confirm if this is the correct link.
         </ModalBody>
@@ -597,21 +665,24 @@ function ReviewButton({ user, task, updateTask }) {
         <ModalBody className={darkMode ? 'bg-yinmn-blue' : ''}>
           Please add link to related work:
           <Input type="text" required value={link} onChange={handleLink} />
-          {editLinkState.error && <div className="text-danger">{editLinkState.error}</div>}
+          {editLinkState.error && (
+            <div className="text-danger">{sanitizeText(editLinkState.error)}</div>
+          )}
         </ModalBody>
         <ModalFooter className={darkMode ? 'bg-yinmn-blue' : ''}>
           <Button
             onClick={e => {
               e.preventDefault();
-              if (!link || !validURL(link)) {
+              const sanitizedLink = sanitizeUrl(link);
+              if (!sanitizedLink || !validURL(sanitizedLink)) {
                 setEditLinkState(prev => ({
                   ...prev,
                   error: "Please enter a valid URL starting with 'https://'.",
                 }));
                 return;
               }
 
-              const validationResult = validateAllowedDomainTypes(link);
+              const validationResult = validateAllowedDomainTypes(sanitizedLink);
               if (!validationResult.isValid) {
                 toggleInvalidDomainModal(validationResult.errorType);
                 return;
@@ -647,7 +718,9 @@ function ReviewButton({ user, task, updateTask }) {
         <ModalBody className={darkMode ? 'bg-yinmn-blue' : ''}>
           <p>Update the link to your submitted work:</p>
           <Input type="text" required value={editLinkState.link} onChange={handleEditLinkChange} />
-          {editLinkState.error && <div className="text-danger">{editLinkState.error}</div>}
+          {editLinkState.error && (
+            <div className="text-danger">{sanitizeText(editLinkState.error)}</div>
+          )}
         </ModalBody>
         <ModalFooter className={darkMode ? 'bg-yinmn-blue' : ''}>
           <Button
@@ -688,7 +761,7 @@ function ReviewButton({ user, task, updateTask }) {
               ⚠️
             </span>
           </div>
-          <p>{invalidDomainModal.errorMessage}</p>
+          <p>{sanitizeText(invalidDomainModal.errorMessage)}</p>
           <div className="mt-3">
             <strong>Acceptable link types:</strong>
             <ul className="mt-2" style={{ paddingLeft: '25px' }}>

src/components/Timer/TimerPopout.jsx

@@ -4,15 +4,43 @@ import { createRoot } from 'react-dom/client';
 import { useRef, useEffect } from 'react';
 import cs from 'classnames';
 import { Provider } from 'react-redux';
+import DOMPurify from 'dompurify';
 import styles from './Timer.module.css';
 import './Countdown.module.css';
 import { store } from '../../store';
 
 function TimerPopout({ authUser, darkMode, TimerComponent }) {
   const popupRef = useRef(null);
+  const rootRef = useRef(null);
+
+  // Sanitize CSS content to prevent CSS injection attacks
+  const sanitizeCSS = cssText => {
+    if (!cssText || typeof cssText !== 'string') return '';
+
+    // Remove potentially dangerous CSS properties and values
+    const dangerousPatterns = [
+      /javascript:/gi,
+      /data:/gi,
+      /vbscript:/gi,
+      /expression\s*\(/gi,
+      /@import/gi,
+      /behavior\s*:/gi,
+      /-moz-binding/gi,
+    ];
+
+    let sanitized = cssText;
+    dangerousPatterns.forEach(pattern => {
+      sanitized = sanitized.replace(pattern, '');
+    });
+
+    return DOMPurify.sanitize(sanitized, { ALLOWED_TAGS: [] });
+  };
 
   useEffect(() => {
     return () => {
+      if (rootRef.current) {
+        rootRef.current.unmount();
+      }
       if (popupRef.current && !popupRef.current.closed) {
         popupRef.current.close();
       }
@@ -102,7 +130,7 @@ function TimerPopout({ authUser, darkMode, TimerComponent }) {
       Array.from(window.document.styleSheets).forEach(styleSheet => {
         try {
           const cssRules = Array.from(styleSheet.cssRules)
-            .map(rule => rule.cssText)
+            .map(rule => sanitizeCSS(rule.cssText))
             .join('');
           const style = popup.document.createElement('style');
           style.textContent = cssRules;